From dd232695d3689b8bf00f5d255a8f5856cb686991 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Dec 2022 18:50:57 +0000 Subject: [PATCH] feat(profiles): refractor all chromium based browsers. All chromium based browser now use the new chromium abstraction. --- .../chromium} | 113 +++++++---- apparmor.d/groups/browsers/brave | 125 ++---------- apparmor.d/groups/browsers/brave-browser | 33 ---- apparmor.d/groups/browsers/brave-sandbox | 21 +- apparmor.d/groups/browsers/brave-wrapper | 35 ++++ apparmor.d/groups/browsers/chrome | 37 ++++ ...ashpad-handler => chrome-crashpad-handler} | 18 +- apparmor.d/groups/browsers/chrome-sandbox | 33 ++++ apparmor.d/groups/browsers/chrome-wrapper | 40 ++++ apparmor.d/groups/browsers/chromium | 47 +---- ...hpad-handler => chromium-crashpad-handler} | 14 +- ...romium-chrome-sandbox => chromium-sandbox} | 15 +- apparmor.d/groups/browsers/chromium-wrapper | 52 +++++ .../groups/browsers/google-chrome-chrome | 179 ------------------ .../browsers/google-chrome-chrome-sandbox | 38 ---- .../browsers/google-chrome-google-chrome | 39 ---- apparmor.d/groups/browsers/opera | 121 +----------- .../groups/browsers/opera-crashreporter | 27 ++- apparmor.d/groups/browsers/opera-sandbox | 24 ++- 19 files changed, 366 insertions(+), 645 deletions(-) rename apparmor.d/{groups/browsers/chromium-chromium => abstractions/chromium} (60%) delete mode 100644 apparmor.d/groups/browsers/brave-browser create mode 100644 apparmor.d/groups/browsers/brave-wrapper create mode 100644 apparmor.d/groups/browsers/chrome rename apparmor.d/groups/browsers/{google-chrome-chrome-crashpad-handler => chrome-crashpad-handler} (60%) create mode 100644 apparmor.d/groups/browsers/chrome-sandbox create mode 100644 apparmor.d/groups/browsers/chrome-wrapper rename apparmor.d/groups/browsers/{chromium-chrome-crashpad-handler => chromium-crashpad-handler} (71%) rename apparmor.d/groups/browsers/{chromium-chrome-sandbox => chromium-sandbox} (74%) create mode 100644 apparmor.d/groups/browsers/chromium-wrapper delete mode 100644 apparmor.d/groups/browsers/google-chrome-chrome delete mode 100644 apparmor.d/groups/browsers/google-chrome-chrome-sandbox delete mode 100644 apparmor.d/groups/browsers/google-chrome-google-chrome diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/abstractions/chromium similarity index 60% rename from apparmor.d/groups/browsers/chromium-chromium rename to apparmor.d/abstractions/chromium index 690bba1e..60a75b3c 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/abstractions/chromium @@ -1,19 +1,20 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: Such a profile is limitted as it gives access to a lot of resources. +# For chromium based browser. If your application require chromium ro run +# (like electron) use abstractions/chromium-common instead. -abi , +# This abstraction requires the following variables definied in the profile header: +# @{chromium_name} = chromium +# @{chromium_domain} = org.chromium.Chromium +# @{chromium_install_dirs} = /{usr/,}lib/chromium +# @{chromium_config_dirs} = @{user_config_dirs}/chromium +# @{chromium_cache_dirs} = @{user_cache_dirs}/chromium -include + abi , -@{exec_path} = /{usr/,}lib/chromium/chromium -profile chromium-chromium @{exec_path} flags=(attach_disconnected) { - include include - include include include include @@ -29,6 +30,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, capability sys_ptrace, ptrace (read) peer=browserpass, @@ -39,8 +44,9 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, + signal (receive) peer=@{profile_name}-crashpad-handler, + signal (send) set=(term, kill) peer=@{profile_name}-sandbox, signal (send) set=(term, kill) peer=keepassxc-proxy, - signal (receive) peer=chromium-chrome-crashpad-handler, network inet dgram, network inet6 dgram, @@ -48,17 +54,11 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mrix, - - /{usr/,}bin/chrome-gnome-shell rPx, - /{usr/,}bin/gnome-browser-connector-host rPx, - /{usr/,}lib/chromium/chrome-sandbox rPx, - /{usr/,}lib/chromium/chrome_crashpad_handler rPx, - - # For storing passwords externally - /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/browserpass rPx, + @{chromium_install_dirs}/{,**} r, + @{chromium_install_dirs}/chrome_crashpad_handler rPx, + @{chromium_install_dirs}/chrome-sandbox rPx, + # Desktop integration /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-desktop-menu rPx, /{usr/,}bin/xdg-email rPx, @@ -67,15 +67,33 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, - /usr/share/chromium/{,**} r, + # Installing/removing extensions & applications + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/touch rix, + + # For storing passwords externally + /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/browserpass rPx, + + # Gnome shell integration + /{usr/,}bin/chrome-gnome-shell rPx, + /{usr/,}bin/gnome-browser-connector-host rPx, + + /usr/share/@{chromium_name}/{,**} r, + /usr/share/chromium/extensions/{,**} r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, - /etc/chromium/ r, - /etc/chromium/master_preferences r, - /etc/chromium/native-messaging-hosts/*.json r, + /etc/@{chromium_name}/{,**} r, /etc/fstab r, /etc/libva.conf r, /etc/opensc.conf r, @@ -86,19 +104,28 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/chromium/ rw, - owner @{user_config_dirs}/chromium/** rwk, - owner @{user_config_dirs}/chromium/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/chromium/{,**/} rw, - owner @{user_cache_dirs}/chromium/*/**/{*-,}index rw, - owner @{user_cache_dirs}/chromium/*/**/[a-f0-9]*_? rw, - owner @{user_cache_dirs}/chromium/*/**/todelete_* rw, - + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/.@{chromium_domain}.* rw, + + owner @{chromium_config_dirs}/ rw, + owner @{chromium_config_dirs}/** rwk, + owner @{chromium_config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, + + owner @{chromium_cache_dirs}/{,**/} rw, + owner @{chromium_cache_dirs}/*/**/{*-,}index rw, + owner @{chromium_cache_dirs}/*/**/@{hex}_? rw, + owner @{chromium_cache_dirs}/*/**/todelete_* rw, + owner @{chromium_cache_dirs}/PnaclTranslationCache/index rw, + owner @{chromium_cache_dirs}/PnaclTranslationCache/data_[0-9]*[0-9] rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -112,11 +139,19 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, + /tmp/ r, + /var/tmp/ r, + owner /tmp/.@{chromium_domain}.* rw, + owner /tmp/.@{chromium_domain}*/{,**} rw, + owner /tmp/@{chromium_name}-crashlog-[0-9]*-[0-9]*.txt rw, owner /tmp/scoped_dir*/{,**} rw, owner /tmp/tmp.* rw, owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, + /dev/shm/ r, + owner /dev/shm/.@{chromium_domain}* rw, + @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @@ -126,12 +161,15 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, + owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pids}/clear_refs w, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/environ r, @@ -149,6 +187,8 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/report_descriptor r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @@ -159,12 +199,11 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/video[0-9]* rw, - # file_inherit + # File Inherit owner /dev/tty[0-9]* rw, # Silencer - deny /{usr/,}lib/chromium/** w, + deny @{chromium_install_dirs}/** w, deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists -} + include if exists diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index c4e123e1..5bd500b5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -7,139 +7,38 @@ abi , include -@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} -@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{chromium_name} = brave{,-beta,-dev} +@{chromium_domain} = com.brave.Brave +@{chromium_install_dirs} = /opt/brave.com/@{chromium_name} +@{chromium_config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{chromium_cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev} +@{exec_path} = @{chromium_install_dirs}/@{chromium_name} profile brave @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - ptrace (read), + include @{exec_path} mrix, - @{BRAVE_INSTALLDIR}/{,**} r, - @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox rPx, - @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} rPx, - @{BRAVE_INSTALLDIR}/swiftshader/libGLESv2.so mr, - @{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr, + /{usr/,}bin/man rPUx, # For "brave --help" - # When installing/removing extensions - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/touch rix, - - # For storing passwords externally - /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/browserpass rPx, - - /{usr/,}bin/man rPUx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}bin/xdg-settings rPx, - /{usr/,}bin/xdg-mime rPx, + @{chromium_install_dirs}/swiftshader/libGLESv2.so mr, + @{chromium_install_dirs}/swiftshader/libEGL.so mr, /usr/share/chromium/extensions/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/fstab r, /etc/opt/chrome/ r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - owner @{HOME}/ r, owner @{user_config_dirs}/BraveSoftware/ w, - owner @{BRAVE_HOMEDIR}/ rw, - owner @{BRAVE_HOMEDIR}/** rwk, - owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/BraveSoftware/ rw, - owner @{BRAVE_CACHEDIR}/{,**/} rw, - owner @{BRAVE_CACHEDIR}/*/**/{*-,}index rw, - owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw, - owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, - # For importing data (bookmarks, cookies, etc) from Firefox - # owner @{HOME}/.mozilla/firefox/profiles.ini r, - # owner @{HOME}/.mozilla/firefox/*/ r, - # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - # owner @{HOME}/.mozilla/firefox/*/logins.json r, - - # For importing data (bookmarks, cookies, etc) from Chromium - # owner "@{user_config_dirs}/chromium/Local State" r, - # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - # owner @{user_config_dirs}/chromium/*/ r, - # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + owner @{chromium_config_dirs}/WidevineCdm/libwidevinecdm.so mrw, + owner @{chromium_cache_dirs}/BraveSoftware/ rw, owner /tmp/net-export/ rw, # For brave://net-export/ - @{PROC}/ r, - deny @{PROC}/vmstat r, - deny @{PROC}/stat r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pids}/stat r, - deny @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - deny owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/clear_refs w, - @{PROC}/sys/fs/inotify/max_user_watches r, - deny @{PROC}/filesystems r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, - - /dev/bus/usb/[0-9]*/[0-9]* rw, - # Silencer - deny @{BRAVE_INSTALLDIR}/** w, deny /etc/opt/chrome/ w, include if exists diff --git a/apparmor.d/groups/browsers/brave-browser b/apparmor.d/groups/browsers/brave-browser deleted file mode 100644 index 3faaaf3a..00000000 --- a/apparmor.d/groups/browsers/brave-browser +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} -@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} - -@{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} -profile brave-browser @{exec_path} { - include - include - - @{exec_path} r, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, - - @{BRAVE_INSTALLDIR}/brave rPx, - - owner @{PROC}/@{pid}/fd/ w, - - include if exists -} diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox index 46574327..d32b52cb 100644 --- a/apparmor.d/groups/browsers/brave-sandbox +++ b/apparmor.d/groups/browsers/brave-sandbox @@ -1,31 +1,32 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} -@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} - abi , include -@{exec_path} = @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox +@{chromium_install_dirs} = /opt/brave.com/brave{,-beta,-dev} + +@{exec_path} = @{chromium_install_dirs}/{brave,chrome}-sandbox profile brave-sandbox @{exec_path} { include - # For kernel unprivileged user namespaces + capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, - capability setuid, - capability setgid, + capability sys_resource, @{exec_path} mr, - @{BRAVE_INSTALLDIR}/brave rPx, + @{chromium_install_dirs}/brave rPx, + @{PROC} r, @{PROC}/@{pids}/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, include if exists } diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper new file mode 100644 index 00000000..05025858 --- /dev/null +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{chromium_install_dirs} = /opt/brave.com/brave{,-beta,-dev} + +@{exec_path} = @{chromium_install_dirs}/brave-browser{,-beta,-dev} +profile brave-wrapper @{exec_path} { + include + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/which{,.debianutils} rix, + + @{chromium_install_dirs}/brave rPx, + + owner @{PROC}/@{pid}/fd/ w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome new file mode 100644 index 00000000..633daf8f --- /dev/null +++ b/apparmor.d/groups/browsers/chrome @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{chromium_name} = chrome{,-beta,-unstable} +@{chromium_domain} = com.google.Chrome +@{chromium_install_dirs} = /opt/google/@{chromium_name} +@{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name} +@{chromium_cache_dirs} = @{user_cache_dirs}/google-@{chromium_name} + +@{exec_path} = @{chromium_install_dirs}/@{chromium_name} +profile chrome @{exec_path} { + include + include + + @{exec_path} mrix, + + /{usr/,}bin/man rPUx, # For "chrome --help" + + @{chromium_install_dirs}/google-chrome{,-beta,-unstable} rPx, + + @{chromium_install_dirs}/nacl_helper rix, + @{chromium_install_dirs}/xdg-mime rix, #-> xdg-mime, + @{chromium_install_dirs}/xdg-settings rix, #-> xdg-settings, + + @{chromium_install_dirs}/*.so* mr, + @{chromium_install_dirs}/libwidevinecdm.so mr, + @{chromium_install_dirs}/libwidevinecdmadapter.so mr, + @{chromium_install_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + + include if exists +} diff --git a/apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler similarity index 60% rename from apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler rename to apparmor.d/groups/browsers/chrome-crashpad-handler index 58f88dcd..1e43dfea 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chrome-crashpad-handler @@ -3,32 +3,34 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , include -@{exec_path} = /opt/google/chrome/chrome_crashpad_handler -profile google-chrome-crashpad-handler @{exec_path} flags=(complain) { +@{chromium_install_dirs} = /opt/google/chrome{,-beta,-unstable} +@{chromium_config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} + +@{exec_path} = @{chromium_install_dirs}/chrome_crashpad_handler +profile chrome-crashpad-handler @{exec_path} { include capability sys_ptrace, - ptrace peer=chromium-chromium, - signal (send) peer=chromium-chromium, + ptrace peer=chrome, + signal (send) peer=chrome, @{exec_path} mrix, - owner "@{HOME}/.config/google-chrome/Crash Reports/**" rwk, + owner "@{chromium_config_dirs}/Crash Reports/**" rwk, + @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/mem r, owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/ r, - @{PROC}/sys/kernel/yama/ptrace_scope r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r, - include if exists + include if exists } diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox new file mode 100644 index 00000000..5fc4508d --- /dev/null +++ b/apparmor.d/groups/browsers/chrome-sandbox @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{chromium_install_dirs} = /opt/google/chrome{,-stable,-beta,-unstable} + +@{exec_path} = @{chromium_install_dirs}/chrome-sandbox +profile chrome-sandbox @{exec_path} { + include + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_resource, + + @{exec_path} mr, + + @{chromium_install_dirs}/chrome rPx, + @{chromium_install_dirs}/nacl_helper rix, + + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + include if exists +} diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper new file mode 100644 index 00000000..d32c5e50 --- /dev/null +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{chromium_install_dirs} = /opt/google/chrome{,-beta,-unstable} + +@{exec_path} = @{chromium_install_dirs}/google-chrome{,-beta,-unstable} +profile chrome-wrapper @{exec_path} { + include + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/which{,.debianutils} rix, + + @{chromium_install_dirs}/chrome rPx, + + owner @{user_config_dirs}/chrome-flags.conf r, + + owner @{PROC}/@{pid}/fd/* rw, + + # File Inherit + owner @{HOME}/.xsession-errors w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index d0dbb375..e3a93810 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -7,45 +7,18 @@ abi , include -@{exec_path} = /{usr/,}bin/chromium -profile chromium @{exec_path} flags=(attach_disconnected) { +@{chromium_name} = chromium +@{chromium_domain} = org.chromium.Chromium +@{chromium_install_dirs} = /{usr/,}lib/@{chromium_name} +@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} +@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} + +@{exec_path} = @{chromium_install_dirs}/@{chromium_name} +profile chromium @{exec_path} { include - include + include - @{exec_path} r, - - /{usr/,}lib/chromium/chromium rPx, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uname rix, - - /{usr/,}bin/gdb rPUx, - /{usr/,}bin/man rPUx, - - /usr/share/chromium/extensions/ r, - - /etc/chromium.d/{,*} r, - /etc/debian_version r, - - owner @{HOME}/.xsession-errors w, - - owner /tmp/chromiumargs.?????? rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, - - owner /dev/tty[0-9]* rw, - /dev/dri/card[0-9] rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, + @{exec_path} mrix, include if exists } diff --git a/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler similarity index 71% rename from apparmor.d/groups/browsers/chromium-chrome-crashpad-handler rename to apparmor.d/groups/browsers/chromium-crashpad-handler index 8f7606a6..6808587e 100644 --- a/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -7,27 +7,29 @@ abi , include +@{chromium_config_dirs} = @{user_config_dirs}/chromium + @{exec_path} = /{usr/,}lib/chromium/chrome_crashpad_handler -profile chromium-chrome-crashpad-handler @{exec_path} flags=(complain) { +profile chromium-crashpad-handler @{exec_path} { include capability sys_ptrace, - ptrace peer=chromium-chromium, - signal (send) peer=chromium-chromium, + ptrace peer=chromium, + signal (send) peer=chromium, @{exec_path} mrix, - owner "@{HOME}/.config/chromium/Crash Reports/**" rwk, + owner "@{chromium_config_dirs}/Crash Reports/**" rwk, + @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/mem r, owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/ r, - @{PROC}/sys/kernel/yama/ptrace_scope r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r, - include if exists + include if exists } diff --git a/apparmor.d/groups/browsers/chromium-chrome-sandbox b/apparmor.d/groups/browsers/chromium-sandbox similarity index 74% rename from apparmor.d/groups/browsers/chromium-chrome-sandbox rename to apparmor.d/groups/browsers/chromium-sandbox index bf38f356..e2828acc 100644 --- a/apparmor.d/groups/browsers/chromium-chrome-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -8,21 +8,22 @@ abi , include @{exec_path} = /{usr/,}lib/chromium/chrome-sandbox -profile chromium-chrome-sandbox @{exec_path} { +profile chromium-sandbox @{exec_path} { include + capability dac_override, + capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, - capability setuid, - capability setgid, - capability dac_override, capability sys_resource, @{exec_path} mr, + /{usr/,}lib/chromium/chromium rPx, - @{PROC}/@{pids}/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, - include if exists + include if exists } diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper new file mode 100644 index 00000000..cc71f68f --- /dev/null +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/chromium +profile chromium-wrapper @{exec_path} { + include + include + + @{exec_path} r, + + /{usr/,}lib/chromium/chromium rPx, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/man rPUx, # For "chromium --help" + # /{usr/,}bin/gdb rPUx, + + /usr/share/chromium/extensions/ r, + + /etc/chromium.d/{,*} r, + /etc/debian_version r, + + owner @{HOME}/.xsession-errors w, + + owner /tmp/chromiumargs.?????? rw, + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + + owner /dev/tty[0-9]* rw, + /dev/dri/card[0-9] rw, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome deleted file mode 100644 index 1f771685..00000000 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ /dev/null @@ -1,179 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{chromiun_domain} = "com.google.Chrome" -@{chromiun_install_dirs} = /opt/google/chrome{,-beta,-unstable} -@{chromiun_config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} -@{chromiun_cache_dirs} = @{user_cache_dirs}/google-chrome{,-beta,-unstable} - -@{exec_path} = @{chromiun_install_dirs}/chrome{,-beta,-unstable} -profile google-chrome-chrome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - ptrace (read) peer=browserpass, - ptrace (read) peer=chrome-gnome-shell, - ptrace (read) peer=gnome-browser-connector-host, - ptrace (read) peer=keepassxc-proxy, - ptrace (read) peer=lsb_release, - ptrace (read) peer=xdg-settings, - ptrace (trace) peer=@{profile_name}, - - signal (send) set=(term, kill) peer=keepassxc-proxy, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{chromiun_install_dirs}/{,**} r, - @{chromiun_install_dirs}/*.so* mr, - @{chromiun_install_dirs}/chrome_crashpad_handler rPx, - @{chromiun_install_dirs}/chrome-sandbox rPx, - @{chromiun_install_dirs}/google-chrome{,-beta,-unstable} rPx, - @{chromiun_install_dirs}/libwidevinecdm.so mr, - @{chromiun_install_dirs}/libwidevinecdmadapter.so mr, - @{chromiun_install_dirs}/nacl_helper rix, - @{chromiun_install_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, - @{chromiun_install_dirs}/xdg-mime rix, - @{chromiun_install_dirs}/xdg-settings rix, - - # For "google-chrome --help" - /{usr/,}bin/man rPUx, - - # For storing passwords externally - /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/browserpass rPx, - - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-desktop-menu rPx, - /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}bin/xdg-settings rPx, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /etc/fstab r, - /etc/libva.conf r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Google Chrome home files - owner @{HOME}/ r, - owner @{chromiun_config_dirs}/ rw, - owner @{chromiun_config_dirs}/** rwk, - - owner @{user_share_dirs}/.@{chromiun_domain}.* rw, - - owner @{user_cache_dirs}/ rw, - owner @{chromiun_cache_dirs}/{,**/} rw, - owner @{chromiun_cache_dirs}/*/**/{*-,}index rw, - owner @{chromiun_cache_dirs}/*/**/[a-f0-9]*_? rw, - owner @{chromiun_cache_dirs}/*/**/todelete_* rw, - owner @{chromiun_cache_dirs}/PnaclTranslationCache/index rw, - owner @{chromiun_cache_dirs}/PnaclTranslationCache/data_[0-9]*[0-9] rw, - - # For importing data (bookmarks, cookies, etc) from Firefox - # owner @{HOME}/.mozilla/firefox/profiles.ini r, - # owner @{HOME}/.mozilla/firefox/*/ r, - # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - # owner @{HOME}/.mozilla/firefox/*/logins.json r, - - # For importing data (bookmarks, cookies, etc) from Chromium - # owner "@{user_config_dirs}/chromium/Local State" r, - # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - # owner @{user_config_dirs}/chromium/*/ r, - # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - - owner /dev/shm/.@{chromiun_domain}* rw, - owner /tmp/.@{chromiun_domain}.* rw, - owner /tmp/.@{chromiun_domain}*/{,**} rw, - owner /tmp/scoped_dir*/{,**} rw, - owner /tmp/tmp.* rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, - - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/pci[0-9]*/**/boot_vga r, - @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/pci[0-9]*/**/report_descriptor r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/system/cpu/present r, - @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, - - /dev/ r, - /dev/hidraw[0-9]* rw, - /dev/tty rw, - /dev/video[0-9]* rw, - - # Silencer - deny @{chromiun_install_dirs}/** w, - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} diff --git a/apparmor.d/groups/browsers/google-chrome-chrome-sandbox b/apparmor.d/groups/browsers/google-chrome-chrome-sandbox deleted file mode 100644 index 5fb0db20..00000000 --- a/apparmor.d/groups/browsers/google-chrome-chrome-sandbox +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} -@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable} -@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable} - -@{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox -profile google-chrome-chrome-sandbox @{exec_path} { - include - - # For kernel unprivileged user namespaces - capability sys_admin, - capability sys_chroot, - capability setuid, - capability setgid, - - # optional - capability sys_resource, - - @{exec_path} mr, - @{CHROME_INSTALLDIR}/chrome rPx, - @{CHROME_INSTALLDIR}/nacl_helper rix, - - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - - @{PROC} r, - @{PROC}/@{pids}/ r, - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - - include if exists -} diff --git a/apparmor.d/groups/browsers/google-chrome-google-chrome b/apparmor.d/groups/browsers/google-chrome-google-chrome deleted file mode 100644 index 3c3f646f..00000000 --- a/apparmor.d/groups/browsers/google-chrome-google-chrome +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} -@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable} -@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable} - -@{exec_path} = @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable} -profile google-chrome-google-chrome @{exec_path} { - include - include - - @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/which{,.debianutils} rix, - - @{CHROME_INSTALLDIR}/chrome rPx, - - owner @{PROC}/@{pid}/fd/* rw, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - # Silencer - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index b793e502..ab3b7409 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -7,126 +7,25 @@ abi , include -@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} -@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer} -@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer} +@{chromium_name} = opera{,-beta,-developer} +@{chromium_domain} = com.opera.Opera +@{chromium_install_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} +@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} +@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} -@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} +@{exec_path} = @{chromium_install_dirs}/@{chromium_name} profile opera @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - ptrace (trace) peer=@{profile_name}, - - signal (send) set=(term, kill) peer=opera-sandbox, - signal (send) set=(term, kill) peer=keepassxc-proxy, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, + include @{exec_path} mrix, - /{usr/,}bin/which{,.debianutils} rix, - - @{OPERA_INSTALLDIR}/opera_sandbox rPx, - @{OPERA_INSTALLDIR}/opera_crashreporter rPx, - @{OPERA_INSTALLDIR}/opera_autoupdate krix, + @{chromium_install_dirs}/opera_autoupdate krix, + @{chromium_install_dirs}/opera_crashreporter rPx, + @{chromium_install_dirs}/opera-sandbox rPx, /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}bin/xdg-settings rPx, - /{usr/,}bin/xdg-desktop-menu rPx, - /{usr/,}bin/xdg-icon-resource rPx, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /etc/fstab r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - owner @{HOME}/ r, - owner @{OPERA_HOMEDIR}/ rw, - owner @{OPERA_HOMEDIR}/** rwk, - - owner @{user_cache_dirs}/ rw, - owner @{OPERA_CACHEDIR}/{,**/} rw, - owner @{OPERA_CACHEDIR}/**/{*-,}index rw, - owner @{OPERA_CACHEDIR}/**/[a-f0-9]*_? rw, - owner @{OPERA_CACHEDIR}/**/todelete_* rw, - - # For importing data (bookmarks, cookies, etc) from Firefox - # owner @{HOME}/.mozilla/firefox/profiles.ini r, - # owner @{HOME}/.mozilla/firefox/*/ r, - # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - # owner @{HOME}/.mozilla/firefox/*/logins.json r, - - # For importing data (bookmarks, cookies, etc) from Chromium - # owner "@{user_config_dirs}/chromium/Local State" r, - # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - # owner @{user_config_dirs}/chromium/*/ r, - # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - - owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, - - @{PROC}/ r, - deny @{PROC}/vmstat r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pids}/stat r, - deny @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny owner @{PROC}/@{pids}/cmdline r, - deny owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pid}/task/ r, - deny @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - deny owner @{PROC}/@{pid}/limits r, - deny owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/fs/inotify/max_user_watches r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, - - /dev/ r, - - # Silencer - deny @{OPERA_INSTALLDIR}/** w, - include if exists } diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 4f8ea915..03aa613f 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -1,22 +1,23 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} -@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer} -@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer} +@{chromium_name} = opera{,-beta,-developer} +@{chromium_install_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} +@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} -@{exec_path} = @{OPERA_INSTALLDIR}/opera_crashreporter +@{exec_path} = @{chromium_install_dirs}/opera_crashreporter profile opera-crashreporter @{exec_path} { include - include - include include + include include + include include include @@ -24,15 +25,13 @@ profile opera-crashreporter @{exec_path} { @{exec_path} mr, - owner @{OPERA_HOMEDIR}/crash_count.txt rwk, - owner @{OPERA_HOMEDIR}/GPUCache/index r, - owner @{OPERA_HOMEDIR}/GPUCache/data_* r, + owner @{chromium_config_dirs}/crash_count.txt rwk, + owner @{chromium_config_dirs}/GPUCache/data_* r, + owner @{chromium_config_dirs}/GPUCache/index r, - deny owner @{PROC}/@{pids}/cmdline r, - deny owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, include if exists } diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index f9f364ca..3d1bccb8 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -6,33 +6,31 @@ abi , include -@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} -@{OPERA_HOMEDIR} = @{user_config_dirs}/opera{,-beta,-developer} -@{OPERA_CACHEDIR} = @{user_cache_dirs}/opera{,-beta,-developer} +@{chromium_name} = opera{,-beta,-developer} +@{chromium_install_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} -@{exec_path} = @{OPERA_INSTALLDIR}/opera_sandbox +@{exec_path} = @{chromium_install_dirs}/opera_sandbox profile opera-sandbox @{exec_path} { include - include include + include - # For kernel unprivileged user namespaces + capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, - capability setuid, - capability setgid, - - # optional capability sys_resource, signal (receive) set=(term, kill) peer=opera, @{exec_path} mr, - @{OPERA_INSTALLDIR}/opera{,-beta,-developer} rPx, + @{chromium_install_dirs}/opera{,-beta,-developer} rPx, - @{PROC}/@{pids}/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, include if exists }