Re: Anyone using Apparmor?
Virtual box is done. If you use nvidia you'll need to change things up a bit. It might be a bit loose in some areas and a bit tight in others. I gave it superfluous read access in a few areas but if it can lock or write a file it's because it needs to. Explicitly blocked the password file.
Code:
# Last Modified: Sat Mar 31 15:33:21 2012
#include <tunables/global>
/usr/share/virtualbox/VBox.sh {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
capability net_raw,
capability sys_ptrace,
network inet raw,
network inet stream,
network inet6 stream,
deny /etc/passwd r,
/bin/bash rix,
/bin/dash rix,
/bin/which rix,
/dev/ati/* rw,
/dev/vboxdrv rw,
/etc/xdg/Trolltech.conf rk,
/home/*/.ICEauthority r,
/home/*/.VirtualBox/ r,
/home/*/.VirtualBox/* rw,
/home/*/.Xauthority r,
/home/*/.cache/dconf/user rw,
/home/*/.config/Trolltech.conf rk,
/home/*/.config/dconf/user r,
/home/*/.icons/ r,
/home/*/.local/share/* r,
"/home/*/Documents/OS Images/*" r,
"/home/*/VirtualBox VMs/**" rw,
/lib/** r,
/lib32/** r,
/lib64/** r,
/proc/ r,
/proc/*/cmdline r,
/proc/*/io r,
/proc/*/oom_score_adj rw,
/proc/*/stat r,
/proc/*/statm r,
/proc/*/status r,
/proc/*/task/** r,
/proc/ati/* r,
/proc/meminfo r,
/proc/modules r,
/proc/sys/kernel/** r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/run/resolvconf/* r,
/sys/block/ r,
/sys/class/*/ r,
/sys/devices/** r,
/tmp/** wk,
/usr/lib/virtualbox/VBoxSVC rix,
/usr/lib/virtualbox/VBoxTestOGL rix,
/usr/lib/virtualbox/VBoxXPCOMIPCD rix,
/usr/lib/virtualbox/VirtualBox rix,
/usr/lib{,32,64}/** mr,
/usr/share/glib-2.0/** r,
/usr/share/icons/ r,
/usr/share/icons/** rk,
/usr/share/mime/* r,
/usr/share/pixmaps/ r,
/usr/share/themes/** r,
/usr/share/virtualbox/** r,
owner /{run,dev}/shm/* rk,
/{run,dev}/shm/* w,
}
You may want to add
/usr/lib/virtualbox/* rix,
There aren't really any more I can profile on my system. Everything worth profiling is profiled.
Unfortunately we can't build seccomp filters, they have to be compiled into the program. When Ubuntu 12.04 is released we'll hopefully see the most common programs (pidgin, browsers, etc) make use of this. Or perhaps there will be some way to implement them from outside of the program.
Here's Chrome + Chrome Sandbox + nacli
Chrome opt.google.chrome.google-chrome :
Code:
# Last Modified: Sat Mar 31 04:27:39 2012
#include <tunables/global>
/opt/google/chrome/google-chrome {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/ubuntu-konsole>
#include <abstractions/user-tmp>
capability ipc_lock,
capability sys_ptrace,
network inet stream,
network inet6 stream,
/ r,
/** r,
/**/ r,
/bin/bash ix,
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/ps rix,
/bin/readlink rix,
/bin/which rix,
/dev/ati/card0 rw,
/dev/video0 r,
/etc/debian_version r,
/etc/lsb-release r,
/etc/passwd m,
/etc/pulse/client.conf r,
/etc/python2.7/* r,
/home/*/.Xauthority r,
/home/*/.cache/dconf/user rw,
/home/*/.cache/google-chrome/Default/Cache/* rw,
"/home/*/.cache/google-chrome/Default/Media Cache/*" rw,
"/home/*/.cache/google-chrome/Profile 1/Cache/*" rw,
/home/*/.config/dconf/* r,
/home/*/.config/google-chrome/** rwk,
/home/*/.gtk-bookmarks r,
/home/*/.macromedia/Flash_Player/** rw,
/home/*/.pki/nssdb/* rwk,
/home/*/.pulse-cookie rwk,
/home/documents/ r,
/opt/google/** rw,
/opt/google/chrome/* mr,
/opt/google/chrome/PepperFlash/* mr,
/opt/google/chrome/chrome rix,
/opt/google/chrome/chrome-sandbox px,
/opt/google/chrome/xdg-settings rix,
/proc/*/io r,
/proc/*/oom_score_adj w,
/proc/*/stat r,
/proc/*/statm r,
/proc/*/status r,
/proc/*/task/** r,
/proc/ati/* r,
/proc/meminfo r,
/proc/modules r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/run/shm/* rwm,
/run/** rw,
/sys/devices/** r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
owner /tmp/** mrlk,
/tmp/** w,
/tmp/*/ rw,
/usr/bin/basename rix,
/usr/bin/dirname rix,
/usr/bin/gvfs-open rix,
/usr/bin/lsb_release rix,
/usr/bin/xdg-open rix,
/usr/bin/xdg-settings rix,
/usr/include/python2.7/* r,
/usr/lib{,32,64}/** mr,
/usr/share/alsa/** r,
/usr/share/fonts/**/*.pfb m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/glib-2.0/schemas/* r,
/usr/share/gvfs/remote-volume-monitors/* r,
/usr/share/icons/**/*.cache m,
/usr/share/mime/mime.cache m,
/usr/share/pyshared/* r,
/usr/share/themes/** r,
/var/lib/dbus/machine-id r,
/var/tmp/* rw,
owner /{dev,run}/shm/pulse-shm* m,
owner @{HOME}/ r,
owner @{HOME}/.local/share/mime/mime.cache m,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
}
Sandbox opt.google.chrome.chrome-sandbox:
Code:
# Last Modified: Sat Mar 31 00:09:28 2012
#include <tunables/global>
/opt/google/chrome/chrome-sandbox {
#include <abstractions/base>
#include <abstractions/ubuntu-konsole>
capability chown,
capability fsetid,
capability dac_override,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
/home/*/.config/google-chrome/Default/** rwk,
/home/*/.config/google-chrome/Dictionaries/* r,
/opt/google/** mr,
/opt/google/chrome/chrome rix,
/opt/google/chrome/nacl_helper_bootstrap px,
/proc/ r,
/proc/*/ r,
/proc/*/fd/ r,
/proc/*/oom_score_adj w,
/proc/*/status r,
/proc/sys/kernel/shmmax r,
/run/shm/* rw,
/sys/devices/system/cpu/** r,
/lib/libgcc_s.so* mr,
/lib{,32,64}/libm-*.so* mr,
/lib/@{multiarch}/libm-*.so* mr,
/lib{,32,64}/libpthread-*.so* mr,
/lib/@{multiarch}/libpthread-*.so* mr,
/lib{,32,64}/libc-*.so* mr,
/lib/@{multiarch}/libc-*.so* mr,
/lib{,32,64}/libld-*.so* mr,
/lib/@{multiarch}/libld-*.so* mr,
/lib{,32,64}/ld-*.so* mr,
/lib/@{multiarch}/ld-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/usr/lib/libstdc++.so* mr,
/etc/ld.so.cache r,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/oom_adj w,
@{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
/opt/google/chrome/ r,
/opt/google/chrome/google-chrome r,
/opt/google/chrome/chrome-sandbox r,
/home/documents/ r,
}
NaCli opt.google.chrome.nacl_helper_bootstrap
Code:
# Last Modified: Sat Mar 31 04:24:18 2012
#include <tunables/global>
/opt/google/chrome/nacl_helper_bootstrap {
#include <abstractions/base>
/opt/google/chrome/nacl_helper mr,
/opt/google/chrome/nacl_irt_x86_64.nexe r,
/run/shm/* mrw,
/sys/devices/system/cpu/cpu0/** r,
/tmp/* r,
}
NaCli's profile may need more work. Haven't tested it.
Last edited by Hungry Man : March 31st, 2012 at 04:35 PM.
|