In order for this thread to still be alive, as I believe it could be a valuable asset to any Linux user, I would like to post my Apparmor profile for Google chrome 48.X. Considering I found it strange that there were chromium profiles, but none for Chrome I decided to invest a weekend to figure out a chrome profile. I must admit, this involved numerous resources/investigation and a lot of trial and error. Im sure it could be argued that Apparmor profiles for chromium based browsers are unnecessary, or there may be an easy way to transfer the chromium profile to work with Chrome, but that is not the point for me. For me it was huge learning curve, and I threw myself into the deep-end. None the less, it may be of interest to others, others may also build upon it. The Chromium profiles that come default with Apparmor seemed quite short in my opinion ( ie locked down with a few holes for general compatibility; ie dbus-session could be called to launch an application or applications launched from downloads directory ) ( otherwise known as inter process communication). This compatibility is also for different desktop environments and system calls made by the browser for resources access and usage, Dbus being the one I mentioned earlier as well as calls made by the browser to plugins such as system volume. These volume plugins change depending on desktop environments, hence different settings will be needed based on which DE you use. I do not have the technical skills to figure out a universal rule to allow chrome for all DE or the resources to try. My profile works very well for XFCE, some modifications may be needed to run it on Cinnamon as mentioned earlier, but I have included compatibility for some applications. So far the only issues/annoyances I have encountered are; 1. Chrome fails to remember that it is the default browser, however if you chose ignor, it will not prompt again to say it is not the default Browser. 2. Chrome cannot launch external applications, such as Enpass extension opening the native client. However if you open Enpass from anything other that the browser, the client and plugin can communicate and functionality is as normal. But its probably safer. These dbus calls cannot be made and similarly downloaded files cannot be opened through the browser. If you are interested create the following profiles. Create a file anywhere on the system and call the first file Code: opt.google.chrome.chrome and add the following Code: # Last Modified: Sun Feb 7 15:52:55 2016 #include <tunables/global> /opt/google/chrome/chrome { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/dbus-session> #include <abstractions/ibus> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/nvidia> #include <abstractions/cups-client> capability sys_admin, capability sys_chroot, /bin/which rix, /dev/ r, /dev/dri/card0 rw, /etc/cups/ppd/ r, /etc/drirc r, /etc/fstab r, /etc/lsb-release r, /etc/mtab r, /etc/python2.7/sitecustomize.py r, /etc/udev/udev.conf r, owner /home/*/ r, /home/*/.ICEauthority r, /home/*/.Xauthority r, /home/*/.cache/dconf/user rw, /home/*/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw, /home/*/.cache/google-chrome/Default/Cache/* rw, /home/*/.cache/google-chrome/Default/Media*/* rw, /home/*/.config/dconf/user r, /home/*/.config/google-chrome/ r, /home/*/.config/google-chrome/** rwk, /home/*/.config/ibus/bus/ w, /home/*/.config/user-dirs.dirs r, /home/*/.fontconfig/* r, /home/*/.gksu.lock r, /home/*/.goutputstream-* r, /home/*/.gtk-bookmarks r, /home/*/.icons/ r, /home/*/.local/share/icons/ r, /home/*/.local/share/icons/** r, /home/*/.local/share/mime/* r, /home/*/.local/share/recently-used.xbel* rw, /home/*/.mozilla/firefox/*.default/compatibility.ini r, /home/*/.mozilla/firefox/profiles.ini r, /home/*/.nv/GLCache/ r, /home/*/.nv/GLCache/** rwk, /home/*/.pki/nssdb/* r, /home/*/.pki/nssdb/*.db rwk, /home/*/.pulse-cookie rwk, /home/*/.thumbnails/normal/* r, /home/*/.xsession-errors r, owner /home/*/Downloads/ r, owner /home/*/Downloads/** rw, owner /home/*/Public/ r, owner /home/*/Public/** r, /opt/google/chrome/** r, /opt/google/chrome/*.so mr, /opt/google/chrome/PepperFlash/libpepflashplayer.so mr, /opt/google/chrome/chrome mrix, /opt/google/chrome/chrome-sandbox rPx, /opt/google/chrome/extensions/ rw, /opt/google/chrome/google-chrome Px, /opt/google/chrome/nacl_helper_bootstrap Px, /opt/google/chrome/xdg-settings Cx, /proc/ r, /proc/*/auxv r, /proc/*/gid_map w, /proc/*/setgroups w, /proc/*/uid_map w, /proc/[0-9]*/cmdline r, /proc/[0-9]*/fd/ r, /proc/[0-9]*/io r, /proc/[0-9]*/maps r, /proc/[0-9]*/mounts r, /proc/[0-9]*/oom_score_adj w, /proc/[0-9]*/oom_adj w, /proc/[0-9]*/stat r, /proc/[0-9]*/statm r, /proc/[0-9]*/status r, /proc/[0-9]*/task/ r, /proc/[0-9]*/task/[0-9]*/stat r, /proc/cpuinfo r, /proc/filesystems r, /proc/meminfo r, /proc/sys/kernel/shmmax r, /proc/sys/kernel/yama/ptrace_scope r, /proc/sys/net/ipv4/tcp_fastopen r, /run/shm/.com.google.Chrome.* rw, /run/shm/com.google.Chrome.shmem.* rw, /run/udev/data/* r, /run/user/????/dconf/user rw, /selinux/ r, /sys/bus/pci/devices/ r, /sys/devices/** r, /tmp/ r, /tmp/* mrw, /tmp/.com.google.Chrome.*/ rw, /tmp/.com.google.Chrome.*/Singleton* w, /tmp/.com.google.Chrome.*/manifest.json a, /tmp/CRX_????????????/ rw, /tmp/CRX_????????????/* rw, /tmp/icedteaplugin-*/ w, /tmp/icedteaplugin-*/[0-9]*-icedteanp-* rw, /tmp/scoped_dir*/DECODED* rw, /tmp/scoped_dir_*/ rw, /tmp/scoped_dir_*/.com.google.Chrome.* rw, /tmp/scoped_dir_*/CRX_INSTALL/ rw, /tmp/scoped_dir_*/CRX_INSTALL/** rw, /tmp/scoped_dir_*/mccea*_[0-9]*.crx rw, /usr/bin/ r, /usr/bin/gnome-mplayer Px, /usr/bin/lsb_release rix, /usr/bin/python?.? r, /usr/bin/xdg-open Cx, /usr/bin/xdg-settings Cx, /usr/include/python?.?/pyconfig.h r, /usr/lib/jvm/java-?-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so mr, /usr/lib/mozilla/plugins/gecko-mediaplayer-*.so mr, /usr/lib/mozilla/plugins/gecko-mediaplayer.so mr, /usr/lib/totem/totem-plugin-viewer Px, /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr, /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr, /usr/local/lib/python?.?/dist-packages/ r, /usr/local/lib/python?.?/dist-packages/ r, /usr/local/share/applications/google-chrome.desktop r, /usr/share/X11/XErrorDB r, /usr/share/cinnamon/icons/ r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/* r, /usr/share/icons/ r, /usr/share/icons/** r, /usr/share/mime/** r, /usr/share/misc/pci.ids r, /usr/share/pixmaps/ r, /usr/share/pyshared/* r, /usr/share/themes/** r, /var/tmp/ r, /var/tmp/* rw, owner /{run,dev}/shm/pulse-shm* k, /{run,dev}/shm/pulse-shm* rw, profile /opt/google/chrome/xdg-settings { /bin/dash r, /bin/grep rix, /bin/readlink rix, /bin/sed rix, /bin/which rix, /dev/null w, /etc/gnome/defaults.list r, /etc/ld.so.cache r, /etc/locale.alias r, /home/*/.local/share/applications/google-chrome.desktop rw, /home/*/.local/share/applications/mimeapps.list rw, /lib/x86_64-linux-gnu/ld-*.so r, /lib/x86_64-linux-gnu/libc-*.so mr, /lib/x86_64-linux-gnu/libdl-*.so mr, /lib/x86_64-linux-gnu/libm-*.so mr, /lib/x86_64-linux-gnu/libselinux.so.* mr, /opt/google/chrome/xdg-settings r, /proc/*/maps r, /proc/filesystems r, /usr/bin/basename rix, /usr/bin/cut rix, /usr/bin/gawk rix, /usr/bin/mawk rix, /bin/mkdir ixr, /bin/mv ixr, /bin/touch ixr, /usr/bin/dirname ixr, /usr/bin/gconftool-2 ix, /usr/bin/xdg-mime rix, /usr/lib/libsigsegv.so.* mr, /usr/lib/locale/** r, /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r, } profile /usr/bin/xdg-open { #include <abstractions/base> /bin/dash r, /etc/gnome/defaults.list r, /etc/nsswitch.conf r, /etc/passwd r, /home/*/.local/share/applications/mime* r, /home/*/.local/share/mime/* r, /proc/*/fd/ r, /usr/bin/evince Px, /usr/bin/gnome-open rix, /usr/bin/gvfs-open rix, /usr/bin/transmission-gtk Px, /usr/bin/xdg-open r, /usr/share/applications/*.desktop r, /usr/share/applications/evince.desktop r, /usr/share/applications/gimp.desktop r, /usr/share/applications/mimeinfo.cache r, /usr/share/mime/* r, } profile /usr/bin/xdg-settings { /bin/cat rix, /bin/dash r, /bin/grep rix, /bin/readlink rix, /bin/sed rix, /bin/which rix, /dev/null w, /etc/gnome/defaults.list r, /etc/ld.so.cache r, /etc/locale.alias r, /home/*/.local/share/applications/google-chrome.desktop r, /home/*/.local/share/applications/mimeapps.list r, /lib/x86_64-linux-gnu/ld-*.so r, /lib/x86_64-linux-gnu/libc-*.so mr, /lib/x86_64-linux-gnu/libdbus-1.so.* mr, /lib/x86_64-linux-gnu/libdl-*.so mr, /lib/x86_64-linux-gnu/libglib-2.0.so.* mr, /lib/x86_64-linux-gnu/liblzma.so.* r, /lib/x86_64-linux-gnu/libm-*.so mr, /lib/x86_64-linux-gnu/libpcre.so.* mr, /lib/x86_64-linux-gnu/libpthread-*.so mr, /lib/x86_64-linux-gnu/libresolv-*.so mr, /lib/x86_64-linux-gnu/librt-*.so mr, /lib/x86_64-linux-gnu/libselinux.so.* mr, /lib/x86_64-linux-gnu/libz.so.* mr, /proc/[0-9]*/maps r, /proc/filesystems r, /usr/bin/basename rix, /usr/bin/cut rix, /usr/bin/gawk rix, /usr/bin/gconftool-2 rix, /usr/bin/mawk rix, /usr/bin/xdg-mime rix, /usr/bin/xdg-settings r, /usr/lib/libsigsegv.so.* mr, /usr/lib/locale/** r, /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r, /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr, /usr/lib/x86_64-linux-gnu/libffi.so.* mr, /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr, /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr, /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr, /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr, /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr, /usr/lib/x86_64-linux-gnu/libsigsegv.so.* r, /usr/lib/x86_64-linux-gnu/libxml2.so.* mr, /usr/share/applications/defaults.list r, /usr/share/applications/google-chrome.desktop r, /usr/share/locale-langpack/en_AU/LC_MESSAGES/* r, } } Create a second file and label it Code: opt.google.chrome.chrome-sandbox add the contents Code: # Last Modified: Sun Feb 7 15:48:55 2016 #include <tunables/global> /opt/google/chrome/chrome-sandbox { capability chown, capability dac_override, capability fsetid, capability setgid, capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, /dev/null r, /etc/ld.so.cache r, /lib/@{multiarch}/ld-*.so* mr, /lib/x86_64-linux-gnu/libc-*.so mr, /lib/x86_64-linux-gnu/libpthread-*.so mr, /lib{,32,64}/ld-*.so* mr, /lib{,32,64}/libc-*.so* mr, /lib{,32,64}/libld-*.so* mr, /lib{,32,64}/libm-*.so* mr, /lib{,32,64}/libpthread-*.so* mr, /opt/google/chrome/chrome rPx, /opt/google/chrome/chrome-sandbox r, /proc/ r, /proc/*/fd/ r, owner /tmp/** rw, @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/oom_adj w, @{PROC}/[0-9]*/oom_score_adj w, @{PROC}/[0-9]*/task/[0-9]*/stat r, } Create a third file and call it Code: opt.google.chrome.google-chrome add the contents Code: # Last Modified: Sun Feb 7 15:40:29 2016 #include <tunables/global> /opt/google/chrome/google-chrome { #include <abstractions/base> #include <abstractions/bash> /bin/bash rix, /bin/cat rix, /bin/dash r, /bin/grep rix, /bin/mkdir rix, /bin/readlink rix, /bin/which rix, /dev/tty rw, /opt/google/chrome/chrome Px, /opt/google/chrome/google-chrome r, /proc/filesystems r, /usr/bin/dirname rix, /usr/bin/zenity rix, } Create the last file named Code: opt.google.chrome.nacl_helper_bootstrap Add contents Code: # Last Modified: Sun Feb 7 15:40:29 2016 #include <tunables/global> /opt/google/chrome/nacl_helper_bootstrap { #include <abstractions/base> /opt/google/chrome/nacl_helper mr, /opt/google/chrome/nacl_helper_bootstrap mr, /proc/cpuinfo r, /proc/filesystems r, /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r, } Open /etc/apparmor.d/ as root and paste the 4 files into it. If you are using apparmor already, enter Code: sudo invoke-rc.d apparmor reload Launch chrome. If it does not launch you will need to modify the profiles, enter Code: sudo aa-logprof this will access the error logs created. Follow the prompts to edit the rules. A run down of the prompt options can be found here http://www.la-samhna.de/library/apparmor.html As you can see the first profile is extensive. Much of this can simplified by using special charcters such as " *, **, ? " and it probably can be refined and simplified. I may have even allowed something I should have not, and added things I didnt need. I used a my mint XFCE and Mint Cinnamon in a Virtual machine to create these rules. Like I said, feel free to use and modify to suite your own. There should be minimum changes required to use on other desktop environments. But it Works on my XFCE system. regards.
That's a very nice, solid looking profile TS4H. In my experience using the sudo aa-logprof feature, I found that first setting any of the profiles to "complain" mode with: Code: sudo aa-complain usr.bin.chr* (I use chromium), then exercising the browser by opening and closing it a few times, navigating to pages with active content, video, sound, navigating to settings, downloading a file, etc... then run sudo aa-logprof, modify the profiles as needed, then put back to enforce mode with: Code: sudo aa-enforce usr.bin.chr* helped to speed up the process for me and resulted in less "breakage" of the browser until I got the profiles modified to my liking. FWIW, the last time I created a chromium profile, I went a little less strict than I had in the past in an effort to strike a preferred balance between security and convenience. With further hardening such as firejail and anti-scripting extension, I don't see the point of going too strict with apparmor, since it has always caused more breakage than I'd like, resulting in running my logprof routine quite a number of times after the initial profile build.
Thankyou, yes aa-logprof and aa-complain was a life saver. Although the initial prompts are a quite mortifying. I first just tried to get the browser to open, review the logs and rules as to understand what it needs and locations accessed. Then open browser with basic functions, ie sync settings my chrome account, review the log to see whats changed. Then opening youtube, accessing sound, using system title bar and borders etc. Reviewing the log and adding rules. Slowly building up functionality. I must admit I like the simplicity of the chromium profile. It functions without conflict, and still quite secure. I agree, as a learning curve it was important for me too see the extent at which something like a browser functions on an OS, given the rights it requires. I do plan to simplify it this profile to get rid of the final quirks I had, such as remembering default browser, and launching unconfined Enpass from within chrome to get two way functionality and not just client to chrome. I may need to study the chromium profile a bit more to see the differences, or to see how they allowed these functions.
It looks like you did a really nice job of your profile and put lots of effort into it, certainly far more than I admittedly put into my first few attempts. I was pretty clueless the first little while venturing into apparmor.
Thank you. Admittedly I was going to give up. Massive learning curve, it required much prior reading on the linux file system structure that Iv been slowly reading/understanding the last couple of weeks. Importantly understanding where and why certain locations exist and what they contain and it is contained there. Then understanding how apparmor works and the associated rules syntaxes was another massive learning curve. regards.
The German computer site golem.de tried the alpha version of Subgraph. They were truly impressed. The first beta should be available this summer and v. 1.0 next year.
Actually I think that Linux desktop users are rather safe. On the other hand, I think that the general threat level has increased. iOS, e.g., was supposed to be secure not long ago - now there is ransomware (KeRanger) also for that OS. And there have been reports lately that even Linux users are targeted by malware. Granted, the practical relevance is still more or less negligible (and I still wonder how an average Linux user who's able to walk and chew gum at the same time would manage to install such stuff - well, perhaps via social engineering). Nonetheless, I prefer to act by implementing precautionary measures before something happens rather than react afterwards. Besides, for me it's fun and an intellectual challenge to harden a system as much as possible without making it unusable. But to each his own.
In this regard we're way more protected than Mac and Windows users, because we have trusted repositories with everything we need. Even if, say, a repository is cracked, the cracker would need to compromise the developer's digital signature to do any harm.
Has anyone seen this: https://lizards.opensuse.org/2014/09/15/next-opensuse-hardening/ This guys is updating his packages quite regularly. https://software.opensuse.org/package/kernel-grsec-desktop https://build.opensuse.org/package/show?project=home:dsterba:grsecurity&package=kernel-grsec-desktop GRSec commented on their twitter, but I'm not sure this means a Gree Flag to install it on openSUSE. Has anyone reviewed the source code and packages? https://twitter.com/grsecurity/status/509453993014472704
Container Linux on the Desktop Or How I Over Engineered My Laptop Video: https://www.youtube.com/watch?v=gES4-X6y278 Slides: https://docs.google.com/presentation/d/17Hml1iFqdXElxOcrh9caQSC5px5mDgaS015Vhaz42ZY/edit#slide=id.p
