Anyone using Apparmor?

How the hell do you configure apparmor for chromium? I still haven;t figured out how keeps saying "directory doesn't exist".

 

If on Ubuntu, it comes with a Chromium profile, but you will need to enable it. First you will need to install apparmor-utils from the repos. After that you can run:

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser

Notice, you may not be able to start Chrome after that because the default profile may not be sufficient (you might have to tweak it). When I first enabled mine, it blocked Chromium from starting at all until I tweaked the profile.

You can find the logs of AppArmor in

Code:

/var/log/syslog

It will show you exactly what is being blocked and why. From there you can use that info to tweak the profile. If you need help doing that just ask.

 

The Chrome profile you posted doesn't sandbox the sandbox. The default Chromium profile that comes with Ubuntu does. I just use it and modify minor things to my needs.

 

Thanks, but how do you tweak it? Can you give me your guide on tweaking AppArmor profiles with terminal commands please?

 

Well first enable it and see what it does.. Post any logs from /var/log/syslog here.

 

OK i'll give it a try

Worked fine, thanks chromo! Now how do I App-Armor adobe flash & java? That's my next question!

 

Java is already profiled, at least for the browser. Flash is sandboxed by Chromium automatically.

 

I had to add few rules, all mostly with "r," access, to get Java working for me. I might have actually gone overboard, but that's something I can't figure out just yet.

Anyway, after numerous rule additions, I finally got it working fine, though no doubt there is some "streamlining" work to be done to make it all a bit more efficient The profile below with my additions in bold text (hopefully I got them all bolded):

Code:

disconnected)' in newer chromium versions
/usr/lib/chromium-browser/chromium-browser {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
  # you want access to productivity applications, adjust the following file
  # accordingly.
  #include <abstractions/ubuntu-browsers.d/chromium-browser>

  # Networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # Should maybe be in abstractions
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,

  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/status r,

  # Newer chromium needs these now
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  [b]/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
  /home/*/.java/ r,
  /home/*/ r,
  /home/ r,
  /etc/hosts r,
  /etc/ld.so.cache r,
  /lib/libnss_mdns4.so.2 r,
  /tmp/ r,
  /usr/lib/jvm/java-7-oracle/jre/bin/java ix,[/b]

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/auxv r,

  # chromium mmaps all kinds of things for speed.
  /etc/passwd m,
  /usr/share/fonts/truetype/**/*.tt[cf] m,
  /usr/share/fonts/**/*.pfb m,
  /usr/share/mime/mime.cache m,
  /usr/share/icons/**/*.cache m,
  owner /{dev,run}/shm/pulse-shm* m,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner /tmp/** m,

  @{PROC}/sys/kernel/shmmax r,
  owner /{dev,run}/shm/{,.}org.chromium.* mrw,

  /usr/lib/chromium-browser/*.pak mr,
  /usr/lib/chromium-browser/locales/* mr,

  # Noisy
  deny /usr/lib/chromium-browser/** w,

  # Make browsing directories work
  / r,
  /**/ r,

  # Allow access to documentation and other files the user may want to look
  # at in /usr
  /usr/{include,share,src}** r,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,

  # Helpers
  /usr/bin/xdg-open ixr,
  /usr/bin/gnome-open ixr,
  /usr/bin/gvfs-open ixr,
  # TODO: kde, xfce

  # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
  # which is provided by abstractions/ubuntu-browsers.d/user-files).
  @{PROC}/[0-9]*/oom_{,score_}adj w,
  /etc/firefox/profile/bookmarks.html r,
  owner @{HOME}/.mozilla/** k,

  # Chromium configuration
  owner @{HOME}/.pki/nssdb/* rwk,
  owner @{HOME}/.cache/chromium/ rw,
  owner @{HOME}/.cache/chromium/** rw,
  owner @{HOME}/.cache/chromium/Cache/* mr,
  owner @{HOME}/.config/chromium/ rw,
  owner @{HOME}/.config/chromium/** rwk,
  owner @{HOME}/.config/chromium/**/Cache/* mr,
  owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
  owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,

  # Allow transitions to ourself and our sandbox
  /usr/lib/chromium-browser/chromium-browser ix,
  /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,

  # TODO: child profile
  /bin/ps Uxr,
  /usr/lib/chromium-browser/xdg-settings Ux,
  /usr/bin/xdg-settings Ux,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.chromium-browser>

profile chromium_browser_sandbox {
    # Be fanatical since it is setuid root and don't use an abstraction
    /lib/libgcc_s.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /usr/lib/libstdc++.so* mr,
    [b]/etc/ld.so.cache r,
    /dev/null rw,
    /proc/*/status r,
    /usr/lib/chromium-browser/chromium-browser ixr,
    /usr/lib/chromium-browser r,
    /usr/lib/x86_64-linux-gnu/** mr,
    /lib/x86_64-linux-gnu/** mr,
    /usr/lib/locale/locale-archive r,  
    /usr/lib/chromium-browser/chrome.pak r,
    /etc/locale.alias r,
    /usr/lib/chromium-browser/** mr,
    /dev/urandom r,
    /proc/filesystems r,
    /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
    /proc/cpuinfo r,
    /proc/sys/kernel/shmmax r,
    /etc/localtime r,
    /usr/share/zoneinfo/* r,
    /usr/share/zoneinfo/** r,
    /run/shm/* r,
    /usr/share/fonts/truetype/msttcorefonts/* r,
    /usr/share/fonts/truetype/ubuntu-font-family/* r,[/b]
    
    
    # Required for dropping into PID namespace. Keep in mind that until the
    # process drops this capability it can escape confinement, but once it
    # drops CAP_SYS_ADMIN we are ok.
    capability sys_admin,

    # All of these are for sanely dropping from root and chrooting
    capability chown,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability dac_override,
    capability sys_chroot,

    # *Sigh*
    capability sys_ptrace,

    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,

   [b] /usr/bin/chromium-browser r,
    /usr/lib/chromium-browser/chromium-browser/** rwkix,
    /usr/lib/chromium-browser/chromium-browser-sandbox r,
    /dev/shm/ rw,
    /dev/shm/** rwmk,[/b]

    owner /tmp/** rw,
  }
}

This page helped me a lot, especially post #4.

-http://ubuntuforums.org/showthread.php?t=1008906-

*EDIT*

LOL I see I pretty much have at least one duplicate in there

 

Instead of having Java run inherited I would keep it in a separate profile.

I wrote a profile for it here (with some notes for GPU acceleration etc)

https://insanitybit.wordpress.com/2012/08/27/apparmor-and-java/

 

Thanks for the info, HM1 i couldn't keep "x" alone as I had to pair it with another permission, so I just randomly chose "i"

To get LastPass plugin to save login email address and preferences:

Code:

/home/*/.config/chromium/Default/databases/chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0/1* rwk,

I placed it under the #chromium-browser-sandbox heading

 

If you do Px and drop the profile into there it'll work.

Instead of /home/*/.config/chromium/Default/databases/chrome-extension_blahblahblah

You can just do

/home/*/.config/chromium/Default/databases/chrome-extension_*/* rwk,

Should work better.

 

I may try that option since my latest profile is backed up, although I've got everything working fine now

You're right, that's better. It's cleaner and will handle any file name changes.

Thanks!

 

The reason I'd suggest you use a separate profile is so that the Java plugin can be as restricted as possible.

As it stands you have Chromium able to access chromium and Java files. You have Java able to access Java and Chromium files.

Ideally it would be Chromium only accessing its files and Java only accessing its files.

Those holes should be plugged up. I personally created child processes for them. There's currently a limitation in apparmor that allows for Ux rules to be abused pretty badly. Creating the xdg-settings child profiles is easy. I don't actually give it access to /bin/ps at all.

 

I've commented out the last two with no ill effect but had to keep the first one.

The java profile I'm working on.

 

Here's my profile for xchat. I used abstractions, but I made sure they had no Px or Ux rules (as those give problems right now in AppArmor, especially Ux which has always been known to be bad).

This profile will only work if you have the abstractions (which come by default with Ubuntu). Thus, this profile is really only for Ubuntu.

So far I have tested it for several hours, running and closing and running it again. I think I have gotten most every warning in syslog accounted for.

This is as locked down of a profile as I could possibly make it. I do not specifically deny capabilities since they will not be granted by default unless the profile explicitly *allows* them.

The only major thing this profile doesn't allow is clickable hyperlinks (since I don't really feel like adding a child profile for a browser). You will have to cut and paste links manually. It also doesn't include python or tcl support (it does have Perl support). If you need python or tcl, you will have to edit it manually (I have most scripting disabled in xchat itself since I use xchat with Tor. Tor needs as much extra fluff turned off as possible for security). But all in all, if you just want to get on IRC and chat (including with Tor), it has full functionality.

Installation:

If you don't know about apparmor, save the below code into a file named "usr.bin.xchat." Place that file into the /etc/apparmor.d/ directory. Then run:

Code:

sudo aa-enforce usr.bin.xchat

Start xchat and it should be protected.

START of profile:

Code:

# Last Modified: Tue Sep 11 02:22:25 2012
#include <tunables/global>

### The abstractions used here were checked for safety.  None of them contain any Ux or Px executables. ###

/usr/bin/xchat {
  #include <abstractions/dbus-session>
  #include <abstractions/enchant>
  #include <abstractions/fonts>
  #include <abstractions/perl>
  #include <abstractions/private-files-strict>

  # Allow TCP/UDP network access.  Didn't use abstrations here
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,

  # Allow xchat to read all of /home but limit write to specific dirs.  (NOTE: the private-files-strict abstraction above prohibits xchat from reading sensitive areas of /home like .ssh, .gnupg, etc.)
  /home/*/** r,
  owner /home/*/.cache/dconf/user rw,
  owner /home/*/.config/enchant/en_US* rwk,
  owner /home/*/.config/ibus/bus/ rw,
  owner /home/*/.xchat2/** rw,

  #  This is for file transfers.  Allow Downloads to /home/*/Downloads
  owner /home/*/Downloads/* rw,

  /dev/null r,  
  /dev/urandom r,

  /etc/fstab r,
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/localtime r,
  /etc/nsswitch.conf r,
  /etc/passwd r,

  /sys/devices/system/cpu/online r,

  owner /usr/bin/xchat mr,

  # Allow it to read all of /usr/lib but restrict -m as much as is possible
  /usr/lib/ r,
  /usr/lib/** r,
  /usr/lib/libaspell* m,
  /usr/lib/libperl* m,  
  /usr/lib/enchant/libenchant_*spell.so m,
  /usr/lib/xchat/plugins/perl.so m,
  /usr/lib/liblaunchpad-integration* m,
  /usr/lib/x86_64-linux-gnu/** m,
  /usr/lib/libsexy* m,
  /usr/lib/liboverlay-scrollbar* m,
  /usr/lib/libenchant* m,
  /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so m,
  
  /usr/share/X11/locale/ r,
  /usr/share/X11/locale/** r,
  /usr/share/gvfs/remote-volume-monitors/ r,

  # Provided -m flag to all of /lib/x86_64-linux-gnu since tons of .so's need it
  /lib/x86_64-linux-gnu/ r,
  /lib/x86_64-linux-gnu/** mr,
  
  # Allow xchat to read ssl cert store (needed for SSL connections on IRC).
  /usr/share/ca-certificates/ r,
  /usr/share/ca-certificates/** r,

  # All of this is needed for graphics, themes, etc.
  /usr/share/pixmaps/ r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/ r,
  /usr/share/mime/** r,

  /proc/filesystems r,
  /proc/stat r,
  /proc/cpuinfo r,
  /proc/meminfo r,
  /proc/*/mounts r,
   
}

 

Thanks chronomatic!

I don't really know about abstractions, Px or Ux now, only enough about apparmor to get a basic profile going, then study the logs to find where the problems are, then apply the denied names with masks to the profile.

Some things I ran into I couldn't resolve, like getting a "c" mask for one log entry, but when I applied the c mask to the path in the profile then tried to reload it, it didn't like the syntax. Anyway, it didn't break the program (Chrome) so I just left it out.

Another one, for example, that even if I create a rule for it, it still shows as blocked in the logs:

Code:

name="/anon_hugepage//deleted" pid=27506 comm="chromium-browse" requested_mask="r" denied_mask="r"

Maybe it doesn't like the doube "/" in the name?

 

Abstractions are predefined rulesets that you can import. So you can create an abstraction for the GPU and it's a profile that gives access to some GPU related files. Import it into your Chrome profile and now Chrome gets access to those files. It's just a way to simplify things.

I typically try to stray from those as they can give too many rights but Chronomatic said he had a look at them first.

Px opens the process in its apparmor profile. Ux opens it confined. If the P is lower case or the U is lower case the environment isn't sanitized, which is pretty dangerous. Ux leads to privilege escalation pretty much every time though/ shouldn't ever be used unless completely necessary.

Cx opens it in a separate profile but the profile exists only for the application when it is launched by the specific process ie:

If Chrome launches a.exe with Cx it'll get its own little child profile. If Firefox opens a.exe with Cx it'll have a separate profile.

 

Thanks HM! That helps, and I'm slowly gaining a better understanding of this as I use it more. I built a profile for Thunderbird last night using aa-genprof. I just need to clean it up a bit

 

Java is what is requesting that. I, too, have tried putting it in my profile, but it still complains in the logs. In any case, it doesn't seem to affect Java in any way by being denied, so I just ignore it.

 

Maybe it's a bug?

Anyway, my final (seemingly) Thunderbird profile after extensive tweaking:

Code:

# Last Modified: Sat Sep 15 23:24:22 2012
#include <tunables/global>

/usr/lib/thunderbird/thunderbird.sh {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/p11-kit>
  #include <abstractions/user-write>



  /bin/dash rix,
  /bin/grep rix,
  /bin/ps rix,
  /bin/which rix,
  /bin/sed ix, 
  /bin/ls ix, 
  /bin/uname ix,
  /etc/firefox/syspref.js r,
  /etc/mime.types r,
  /etc/thunderbird/syspref.js r,
  /home/*/.lastpass/** r,
  /home/*/.lastpass/lp-1.suid w,
  /home/*/.local/share/ r,
  /home/*/.local/share/* rw,
  /home/*/.local/share/applications/mimeapps.list r,
  /home/*/.local/share/mime/ r,
  /home/*/.local/share/mime/** r,
  /home/*/.macromedia/Flash_Player/#SharedObjects/ r,
  /home/*/.macromedia/Flash_Player/#SharedObjects/** rw,
  /home/*/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/** rw,
  /home/*/.mozilla/firefox/*.default/ r,
  /home/*/.mozilla/firefox/*.default/** mrwk,
  "/home/*/.mozilla/firefox/Crash Reports/*" r,
  /home/*/.mozilla/firefox/profiles.ini r,
  /home/*/.profile r,
  /home/*/.pulse-cookie rwk,
  /home/*/.thumbnails/normal/* r,
  /home/*/.thunderbird/*.default/ r,
  /home/*/.thunderbird/*.default/** rwk,
  /home/*/.thunderbird/*.default/ImapMail/imap.telus.net/ r,
  /home/*/.thunderbird/*.default/ImapMail/imap.telus.net/** rw,
  "/home/*/.thunderbird/*.default/Mail/Local Folders/*" rw,
  /home/*/.thunderbird/*.default/startupCache/startupCache.8.little rw,
  "/home/*/.thunderbird/Crash Reports/*" r,
  /home/*/.thunderbird/profiles.ini r,
  /home/*/.xsession-errors r,
  "/home/*/Documents/*" r,
  /proc/* r,
  /proc/** r,
  /run/shm/sem.* rw,
  /sys/devices/system/cpu/present r,
  owner /tmp/** lk,
  /tmp/** rw,
  /usr/bin/dirname ix,
  /usr/bin/basename ix, 
  /usr/bin/eog rix,
  /usr/bin/evince rix,
  /usr/bin/vlc rix,
  /usr/lib/firefox/firefox* rix,
  /usr/lib/firefox/plugin-container rix,
  /usr/lib/thunderbird/thunderbird rix,
  /usr/lib/libreoffice/program/* ix,
  /usr/lib{,32,64}/** mr,
  /usr/share/** r,
  /usr/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/ r,
  
  
  owner /{run,dev}/shm/pulse-shm* k,
  /{run,dev}/shm/pulse-shm* rw,

}

It allows me to perform most every conceivable operation with Thunderbird, including opening of links within messages. I've updated both the user-write and nvidia abstratcions to include some more paths.

BTW, I have found that using aa-genprof to scan for and create profiles, or even afterward using aa-logprof with the application in complain mode does not seem to find everything needed when I exercise a target executable thoroughly. I find using those methods followed up by manually profiling with a tail log is most effective.

Finally, I'm amazed at how granular Apparmor can be configured. It really seems to be several steps ahead of the Windows integrity level mechanism in Vista/Win7.

 

Well, from my experience you have to execute aa-logprof several times in order to get a (more or less) complete profile for a complex application. I think that is due to the fact that quite often creating a rule depends on the existence of another one - if that one doesn't exist yet, the application doesn't get "far" enough. BTW, aa-logprof also works if the profile is in enforce mode - so adding new rules if something doesn't work is rather easy.

 

Believe me, I did many times over with Thunderbird I got the impression while tuning the profile it is a very complex application given all the actions I want it to perform.

This could have been the case for sure. I also did lots of profiling with the application in enforce mode. I don't even mind checking the syslog and simply applying a filter to find the pertinent entries.

 

Same here

Yes, but aa-logprof is easier and more comfortable, IMHO.

 

It certainly is cleaner. I just found myself using syslog to more or less finalize a few things the application still needed.

 

Yeah. The level that you can confine a program on Linux using only what's built into the kernel is really impressive.