How to know which Apparmor "capabilities" are needed?

I've recently built a profile for Chrome, backed up the profiles then decided to experiment with the capabilities, which apparently can be dangerous (I think HungryMan mentions this somewhere ), by commenting out all of them...

#capability dac_override,
#capability setgid,
#capability setuid,
#capability sys_admin,
#capability sys_chroot,
#capability sys_ptrace,

...reloaded the profile and found nothing has broken so far using Chrome. How does one know what's safe or not and which ones are needed when generating a profile?

EDIT

okay I encountered problems with Chrome crashing closed when trying to access anything under the Preferences menu. aa-logprof offers no clues and the capabilities don't take effect after simply reloading the profile; a reboot is needed as well. Just to make things easier on myself I merely added all the capabilities back into the profile. No problems now. I know HM had stated the chrome-sandbox profile contains the capabilities but not the chrome.chrome profile. Still, the chrome.chrome profile needs at least some of them.

 

EDIT Sorry didnt realize this is a tutorial "Securing Google Chrome in Ubuntu 12.04 with AppArmor and Seccomp" looks interesting though
http://rookcifer.blogspot.com/2012/09/securing-google-chrome-in-ubuntu-1204.html
updated troubleshooting thread for above thread
http://ubuntuforums.org/showthread.php?t=2137964

Or search for apparmor chrome profile

here is the Hungry Man thread

https://www.wilderssecurity.com/showthread.php?t=320017&page=2&highlight=apparmor

Not sure but could be of help until someone replies with an actual answer

 

Well you have to understand what each of those things is.

DAC override means that it can override the Discretionary Access Control Permissions.

SetGID and SetUID means that the executable can change UID/GIDs.

Sys_Admin means running as root.

Sys_Chroot means that it can create chroots.

Sys_Ptrace means that it can modify other processes memory.

All of the above are necessary for the Chrome Sandbox to function properly. Removing them will prevent the sandbox from restricting Chrome.

That's why it's best to have a Chrome Sandbox profile separate from your Chrome profile.

 

@Warlockz,

thank you for the links

Thanks HM! Yeah, I kind of knew what most of them meant, except the sys_ptrace and DAC overide. Thanks again.

Actually I do have a separate chrome-sandbox and a nacl_helper_bootstrap profile as well. Those same capabilities are present in the sandbox profile. For whatever reason, though, they (some of them for sure) are definitely required in the chrome.chrome profile, or it crashes under the circumstances I mention above.

 

That's very strange, and I would suggest looking into exactly which permission is necessary and what's being broken. I suspect it's the ptrace one.

 

Thanks for the tips!

 

Good call Hungry

It's the only capability required (so far) in the chrome.chrome profile. I've deleted the ohers, reloaded profile, rebooted pc, and no ill effects so far. BTW, I discovered the hard way that preceding these with a "#" does not work, thus the reason I've deleted them after of course backing up the profiles.

I suppose allowing sys_ptrace is kind of dangerous because it can modify other's memory, but I don't worry too much at all. I think apparmor's got Chrome locked down pretty solidly, plus it's on Linux, the sandboxes are all enabled, and I've got javascript and images limited to some degree as well, even though it's not nearly the same as noscript. I'm really impressed at how apparmor restricts the program in exactly what it can do, and no more

 

I personally don't have the cap_sysptrace in my profile, but I know that it can be necessary for plugins to work.

Apparmor is really good, it's very simply and powerful. I think it does MAC well. And Chrome using seccomp makes things even better.

Essentially an attacker needs a Chrome only exploit (since kernel exploits are incredibly difficult from renderer, which has virtually no system calls allowed) to get into the broker process, and then they need a kernel exploit on top of that. If you set your system up properly we're talking about a couple of months to break in.

 

That's good. Just for interest sake, I re-profiled Chrome, this time restricting it to the specific extensions I'm using - Ad Block, Lastpass, Edit cookie and Click & clean. Also did a bit less globbing here and there throughout for further restrictions. Lots of fun

 

Yeah, my Chrome profile is pretty heavily restricted. One thing I'd suggest is going through and making use of 'owner' rules as well. Apparmor doesn't do a great job of this with its learning mode, but in reality you can probably add a large number.

 

I might tackle this if I'm at a reasonable comfort level, otherwise I'll just stick to the basics