Anyone using Apparmor?

Oops, but I didn't know. Very comprehensive I must say.

 

Yeah I am about to go over there and make some updates to the profile.

 

Cool! I was reading that thread mere minutes ago before finding this out now One thing I won't do, though, is copy/paste yours or someone else's profiles, otherwise I'll never learn I re-did another Chrome profile last night but I'm still not satisfied with it. It works, but I screwed up the relation between it and the Sandbox profile, so back to the drawing board later today.

 

It takes some practice. It's mostly about knowing when you should inherit, child, or profile. it's not that hard, just never profile the 'big' ones like wget or dash, child them or inherit them.

And never inherit something that'll be using separate files than what's in the profile. So you inherit wget because it'll just be used on files taht the program can already access but you child xdg-settings because it's goin to be launched to do other stuff.

 

Thanks! I started with the sandbox profile first, and all was going fine until it generated a chrome-browser profile when I used a Px entry, then I somehow inadvertantly added sandbox paths to the chrome profile, when I think they should have been added to the sandbox profile I think I know what I need to do now, however, so it doesn't happen again

 

Ok so i spent a while profiling Google Chrome. I decided to make a child profile for every process Chrome called. I also was careful not to use any abstractions, except for a few in the main profile which are safe.

I also made my own abstraction for chrome-libs-strict. These are the libraries chrome needs. I decided to put it into another file because it was so large.

Here is the profile. It's big.

Code:

# Last Modified: Wed Sep 19 08:49:42 2012
#include <tunables/global>
  
/opt/google/chrome/*chrome {
  #include <abstractions/audio>
  #include <abstractions/chrome-libs-strict>
  #include <abstractions/cups-client>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/nvidia>  
  #include <abstractions/ubuntu-browsers.d/java>
  #include <abstractions/user-tmp>
  
  # For networking.  Decided not to use abstractions here.  
  network inet stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/resolv.conf r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r, 

  /bin/bash r,
  
  /opt/google/chrome/ r,
  /opt/google/chrome/** m,
  /opt/google/chrome/** rwkl,
  
  /dev/ r,
  /dev/null rw,
  /dev/tty rw,
  /dev/urandom r,
  
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/debian_version r,
  /etc/gnome/defaults.list r,
  /etc/group r,  
  /etc/lsb-release r,
  /etc/localtime r,
  /etc/gai.conf r,
  /etc/mtab r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/passwd r,
  /etc/xdg/xubuntu/applications/defaults.list r,

  /run/shm/*.google** rw,
  /selinux/ r,
  /var/lib/dbus/machine-id r,
  
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.local/share/applications/mimeapps.list** rw,
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.config/ibus/bus/ rw,
  owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
  owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,
  owner @{HOME}/.nvidia/* rw,
  owner @{HOME}/.nv/GLCache/ r,
  owner @{HOME}/.nv/GLCache/** rwk,
  @{HOME}/.Xauthority r,

  # For nautilus so you can browse dirs
  /usr/bin/nautilus rix,

  # To Open transmission bit torrent client (NOTE: I have a separate profile for it).
  /usr/bin/transmission-gtk rPx,

  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/cpuinfo r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/*/maps r,
  @{PROC}/stat r,
  @{PROC}/meminfo r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/*/oom_score_adj rw,
  @{PROC}/sys/kernel/shmmax r,
  @{PROC}/*/task/ r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/status r,
   
  
  # Newer chromium needs these now
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/online r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
  /sys/bus/pci/devices/ r,
  
  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
    
  owner @{HOME}/.pki/nssdb/* rwk, 
   
  # For themes
  /usr/share/misc/ r,
  /usr/share/misc/** r,
  /usr/share/glib-2.0/schemas/ r,
  /usr/share/glib-2.0/schemas/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,

  # For timezone info
  /usr/share/zoneinfo/ r,
  /usr/share/zoneinfo/** r,

  # For locale stuff
  /usr/share/X11/locale/ r,
  /usr/share/X11/locale/** r,
  /usr/share/X11/XErrorDB r,

  /tmp/* m,

  # All of these processes have child profiles below
  /bin/mkdir cxr,
  /bin/which cxr,
  /bin/readlink cxr,
  /usr/bin/lsb_release cxr,
  /usr/bin/xdg-settings cxr,
  /usr/bin/dirname cxr,
  
   # Allow transitions to ourself and our sandbox
  /opt/google/chrome/chrome-sandbox cx -> chrome_sandbox,
  /opt/google/chrome/*chrome ixr,  
  /opt/google/chrome/nacl_helper_bootstrap ixr,    

  
  profile /bin/mkdir {

  /bin/mkdir r,
  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libselinux.so* mr,
  /lib/x86_64-linux-gnu/libc*.so mr,
  /lib/x86_64-linux-gnu/libdl*.so mr,
  /lib/x86_64-linux-gnu/ld*.so mr,
  /proc/filesystems r,
  /usr/lib/locale/locale-archive r,
  }
  
  profile /bin/which {

  /etc/ld.so.cache r,
  /bin/dash r,
  /bin/which r,
  /dev/null rw,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  }

  profile /bin/readlink {

  /bin/readlink r,
  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld*.so mr,
  /usr/lib/locale/locale-archive r,
  }

  profile /usr/bin/dirname {

  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/bin/dirname r,
  /usr/lib/locale/locale-archive r,
  }
  
  profile /usr/bin/lsb_release {

    /etc/ld.so.cache r,
    /etc/lsb-release r,
    /etc/python2.7/sitecustomize.py r,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /lib/x86_64-linux-gnu/libcrypto.so.* mr,
    /lib/x86_64-linux-gnu/libdl-*.so mr,
    /lib/x86_64-linux-gnu/libgcc_s.so.* mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libpthread-*.so mr,
    /lib/x86_64-linux-gnu/libssl.so.* mr,
    /lib/x86_64-linux-gnu/libutil-*.so mr,
    /lib/x86_64-linux-gnu/libz.so.* mr,
    /proc/meminfo r,
    /usr/bin/lsb_release r,
    /usr/bin/python2.7 r,
    /usr/include/python2.7/pyconfig.h r,
    /usr/lib/locale/** r,
    /usr/lib/pymodules/python2.7/.path r,
    /usr/lib/python2.7/** r,
    /usr/local/lib/python2.7/*/ r,
    /usr/share/pyshared/* r,

  }

  profile /usr/bin/xdg-settings {

    /bin/dash r,
    /bin/grep rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/which rix,
    /etc/ld.so.cache r,
    /home/*/.local/share/applications/google-chrome.desktop r,
    /home/*/.local/share/applications/mimeapps.list r,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /lib/x86_64-linux-gnu/libdbus-1.so.* mr,
    /lib/x86_64-linux-gnu/libdl-*.so mr,
    /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libpcre.so.* mr,
    /lib/x86_64-linux-gnu/libpthread-*.so mr,
    /lib/x86_64-linux-gnu/libresolv-*.so mr,
    /lib/x86_64-linux-gnu/librt-*.so mr,
    /lib/x86_64-linux-gnu/libselinux.so.* mr,
    /lib/x86_64-linux-gnu/libz.so.* mr,
    /proc/*/maps r,
    /proc/filesystems r,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/gawk rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-settings r,
    /usr/lib/libsigsegv.so.* mr,
    /usr/lib/locale/** r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
    /usr/lib/x86_64-linux-gnu/libffi.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,

  }

  profile chrome_sandbox {
    # Be fanatical since it is setuid root and don't use an abstraction
  /lib/libgcc_s.so* mr,
  /lib{,32,64}/libm-*.so* mr,
  /lib/@{multiarch}/libm-*.so* mr,
  /lib{,32,64}/libpthread-*.so* mr,
  /lib/@{multiarch}/libpthread-*.so* mr,
  /lib{,32,64}/libc-*.so* mr,
  /lib/@{multiarch}/libc-*.so* mr,
  /lib{,32,64}/libld-*.so* mr,
  /lib/@{multiarch}/libld-*.so* mr,
  /lib{,32,64}/ld-*.so* mr,
  /lib/@{multiarch}/ld-*.so* mr,  

  /lib/x86_64-linux-gnu/ld-*.so mr,
  /lib/x86_64-linux-gnu/libcom_err.so* mr,
  /lib/x86_64-linux-gnu/libexpat.so* mr,
  /lib/x86_64-linux-gnu/librt*.so mr,
  /lib/x86_64-linux-gnu/libdl*.so mr,
  /lib/x86_64-linux-gnu/libgcc_s.so* mr,
  /lib/x86_64-linux-gnu/libglib-*.so.* mr,
  /lib/x86_64-linux-gnu/libgcrypt.so.* mr,
  /lib/x86_64-linux-gnu/libgpg-error.so* mr,
  /lib/x86_64-linux-gnu/libkeyutils.so* mr,
  /lib/x86_64-linux-gnu/libz.so.* mr,
  /lib/x86_64-linux-gnu/libdbus-*.so* mr,
  /lib/x86_64-linux-gnu/libudev.so* mr,
  /lib/x86_64-linux-gnu/libbz2.so* mr,
  /lib/x86_64-linux-gnu/libpcre.so* mr,
  /lib/x86_64-linux-gnu/libpng12.so* mr,
  /lib/x86_64-linux-gnu/libresolv*.so* mr,
  /lib/x86_64-linux-gnu/libselinux.so* mr,
  /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
  /usr/lib/x86_64-linux-gnu/libavahi**.so* mr,
  /usr/lib/x86_64-linux-gnu/libasound.so* mr,
  /usr/lib/x86_64-linux-gnu/libatk-*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcairo.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcups.so* mr,
  /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so* mr,
  /usr/lib/x86_64-linux-gnu/libffi.so* mr,
  /usr/lib/x86_64-linux-gnu/libfontconfig.so.* mr,
  /usr/lib/x86_64-linux-gnu/libfreetype.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgdk-x11-*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
  /usr/lib/x86_64-linux-gnu/libgobject*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgio-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgmodule-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libgthread*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgtk-x11-*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libnss3.so mr,
  /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
  /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
  /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
  /usr/lib/x86_64-linux-gnu/libpango**.so* mr,
  /usr/lib/x86_64-linux-gnu/libplc4.so mr,
  /usr/lib/x86_64-linux-gnu/libplds4.so mr,
  /usr/lib/x86_64-linux-gnu/libpixman-1.so* mr,  
  /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
  /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr, 
  /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
  /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb**.so* mr,
  /usr/lib/x86_64-linux-gnu/libX**.so** mr,    
  /usr/lib/x86_64-linux-gnu/libgconf-*.so* mr,  
  /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so mr,
  /usr/lib/x86_64-linux-gnu/nss/libfreebl3.so mr,
   
  /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
  /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
  /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
  /usr/lib/libstdc++.so* mr,  

  /etc/ld.so.cache r,

  /usr/share/fonts/ r,
  /usr/share/fonts/** r,
  /usr/share/zoneinfo/ r,
  /usr/share/zoneinfo/** r,


  # Required for dropping into PID namespace. Keep in mind that until the
  # process drops this capability it can escape confinement, but once it
  # drops CAP_SYS_ADMIN we are ok.
  capability sys_admin,

  # All of these are for sanely dropping from root and chrooting
  capability chown,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability sys_chroot,

  # *Sigh*
  capability sys_ptrace,

  @{PROC}/ r,
  /proc/[0-9]*/ r,
  @{PROC}/[0-9]*/proc/cpuinfo/ r,
  @{PROC}/[0-9]*/fd/ r,
  /proc/*/maps r,
  @{PROC}/[0-9]*/oom_adj w,
  @{PROC}/[0-9]*/oom_score_adj w,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /proc/filesystems r,
  /proc/cpuinfo r,  
  /proc/*/status r,
  /proc/sys/kernel/shmmax r,
  

  /etc/locale.alias r,
  /etc/localtime r,

  /dev/null r,
  /dev/urandom r,

  /run/shm/.com.google** r,
  /run/shm/.com.google** rw,

  /usr/lib/locale/locale-archive r,

  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,

  /home/*/.config/google-chrome/Default/databases/ r,
  /home/*/.config/google-chrome/Default/databases/** rwkl,

  /opt/google/chrome/ r,
  /opt/google/chrome/** r,
  /opt/google/chrome/** m,
  /opt/google/chrome/*chrome ix,
  /opt/google/chrome/nacl_helper_bootstrap ix,
  /opt/google/chrome/chrome-sandbox r,

  owner /tmp/** rw,
  }

}

Here's the chrome-libs-strict abstraction. Place this file in /etc/apparmor.d/abstractions.

Code:

# vim:syntax=apparmor

  # These are the libs for Chrome.  I was very strict here.

  /lib/libnss*.so* mr,

  /lib/x86_64-linux-gnu/ld*.so mr,
  /lib/x86_64-linux-gnu/libbz2.so* mr,
  /lib/x86_64-linux-gnu/libc**.so mr,
  /lib/x86_64-linux-gnu/libcom_err.so* mr,
  /lib/x86_64-linux-gnu/libcrypto.so.* mr,
  /lib/x86_64-linux-gnu/libdbus*.so* mr,
  /lib/x86_64-linux-gnu/libdl**.so mr,
  /lib/x86_64-linux-gnu/libexpat.so* mr,
  /lib/x86_64-linux-gnu/libgcc_s.so* mr,
  /lib/x86_64-linux-gnu/libgcrypt.so* mr,
  /lib/x86_64-linux-gnu/libglib-*.so.* mr,
  /lib/x86_64-linux-gnu/libgpg-error.so* mr,
  /lib/x86_64-linux-gnu/libkeyutils.so* mr,
  /lib/x86_64-linux-gnu/libm*.so mr,
  /lib/x86_64-linux-gnu/libnsl-*.so mr,
  /lib/x86_64-linux-gnu/libpci.so.* mr,
  /lib/x86_64-linux-gnu/libpcre.so* mr,
  /lib/x86_64-linux-gnu/libpng12.so* mr,
  /lib/x86_64-linux-gnu/libpthread*.so mr,
  /lib/x86_64-linux-gnu/libresolv*.so mr,
  /lib/x86_64-linux-gnu/librt-*.so mr,
  /lib/x86_64-linux-gnu/libselinux.so.* mr,
  /lib/x86_64-linux-gnu/libssl.so.* mr,
  /lib/x86_64-linux-gnu/libtinfo.so.* mr,
  /lib/x86_64-linux-gnu/libudev.so* mr,
  /lib/x86_64-linux-gnu/libutil-*.so mr,
  /lib/x86_64-linux-gnu/libuuid.so.* mr,
  /lib/x86_64-linux-gnu/libz.so* mr,
  /lib/x86_64-linux-gnu/libwrap.so* mr,
  /lib/x86_64-linux-gnu/libnss*.so* mr,
    
  /usr/lib/firefox-addons/plugins/ r,
  /usr/lib/xulrunner-addons/plugins/ r,
  /usr/lib/flashplugin-installer/libflashplayer.so mr,
  /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so mr,
  /usr/lib/libdee*.so* mr,
  /usr/lib/libicudata.so.* mr,
  /usr/lib/libicui18n.so.* mr,
  /usr/lib/libicuuc.so.* mr,
  /usr/lib/liboverlay-scrollbar-0.2.so.* mr,
  /usr/lib/libGL.so* mr,
  /usr/lib/libsigsegv.so.* mr,
  /usr/lib/libtotem-plparser-mini.so.* mr,
  /usr/lib/libunity.so.* mr,
  /usr/lib/locale/locale-archive r,
  /usr/lib/mozilla/plugins/ r,
  /usr/lib/mozilla/plugins/*.so mr,
  /usr/lib/pymodules/python2.7/* r,
  /usr/lib/python2.7/config/* r,
  /usr/lib/tls/libnvidia-tls.so* mr,
  /usr/lib/libnvidia*.so* mr,
    
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
  /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache r,
  /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so mr,
  /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so mr,
  /usr/lib/x86_64-linux-gnu/gio/modules/ r,
  /usr/lib/x86_64-linux-gnu/gio/modules/* mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/* mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules r,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/immodules/im-ibus.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so mr,
  /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
  /usr/lib/x86_64-linux-gnu/libICE.so.* mr,
  /usr/lib/x86_64-linux-gnu/libSM.so.* mr,
  /usr/lib/x86_64-linux-gnu/libX** mr,
  /usr/lib/x86_64-linux-gnu/libX*.so* r,
  /usr/lib/x86_64-linux-gnu/libX11.so** mr,
  /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,
  /usr/lib/x86_64-linux-gnu/libasound.so* mr,
  /usr/lib/x86_64-linux-gnu/libatk*.so* mr,
  /usr/lib/x86_64-linux-gnu/libavahi-client.so* mr,
  /usr/lib/x86_64-linux-gnu/libavahi-common.so* mr,
  /usr/lib/x86_64-linux-gnu/libcairo.so* mr,
  /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcups.so* mr,
  /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.* mr,
  /usr/lib/x86_64-linux-gnu/libdbus-glib*.so* mr,
  /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,
  /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,
  /usr/lib/x86_64-linux-gnu/libffi.so* mr,
  /usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
  /usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
  /usr/lib/x86_64-linux-gnu/libgconf*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgdk-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgdk_pixbuf*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgee.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgio*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgmodule*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
  /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgtk-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,
  /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,
  /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,
  /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,
  /usr/lib/x86_64-linux-gnu/libibus-1.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libidn.so.* mr,
  /usr/lib/x86_64-linux-gnu/libjson-glib*.so* mr,
  /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
  /usr/lib/x86_64-linux-gnu/liblber*.so* mr,
  /usr/lib/x86_64-linux-gnu/libldap_r*.so* mr,
  /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
  /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,
  /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
  /usr/lib/x86_64-linux-gnu/libnss3.so mr,  
  /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
  /usr/lib/x86_64-linux-gnu/libogg.so.* mr,
  /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
  /usr/lib/x86_64-linux-gnu/libpango*.so* mr,
  /usr/lib/x86_64-linux-gnu/libpangocairo*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libpixman*.so* mr,
  /usr/lib/x86_64-linux-gnu/libplc4.so mr,
  /usr/lib/x86_64-linux-gnu/libplds4.so mr,
  /usr/lib/x86_64-linux-gnu/libquvi.so.* mr,
  /usr/lib/x86_64-linux-gnu/libroken.so.* mr,
  /usr/lib/x86_64-linux-gnu/librtmp.so.* mr,
  /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
  /usr/lib/x86_64-linux-gnu/libsqlite3.so.* mr,
  /usr/lib/x86_64-linux-gnu/libssl*.so mr,
  /usr/lib/x86_64-linux-gnu/libstdc** r,
  /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
  /usr/lib/x86_64-linux-gnu/libstdc\+\+.so.* mr,
  /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
  /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
  /usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
  /usr/lib/x86_64-linux-gnu/libvorbisfile.so.* mr,
  /usr/lib/x86_64-linux-gnu/libwind.so.* mr,
  /usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb.so* mr,
  /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
  /usr/lib/x86_64-linux-gnu/nss/libfreebl*.so mr,
  /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so mr,
  /usr/lib/x86_64-linux-gnu/nss/libsoftokn*.so mr,
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/ r,
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules r,  
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so mr,
  /usr/lib/x86_64-linux-gnu/librsvg*.so* mr,
  /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module*.so mr,  
  /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
  /usr/lib/x86_64-linux-gnu/libpulsecommon*.so mr,
  /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,
  /usr/lib/x86_64-linux-gnu/libjson.so* mr,
  /usr/lib/x86_64-linux-gnu/libcroco*.so* mr,
  /usr/lib/x86_64-linux-gnu/libsndfile.so* mr,
  /usr/lib/x86_64-linux-gnu/libasyncns.so* mr,
  /usr/lib/x86_64-linux-gnu/libFLAC.so* mr,
  /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,
  /usr/lib/x86_64-linux-gnu/libX*.so* mr,  
  /usr/lib/x86_64-linux-gnu/libX11.so* mr,

 

Nice. The one thing I'd say is that the Sandbox might not behave properly as a Child. I would launch that is Px. Otherwise that's a good idea to use Cx like that.

 

Yeah I have noticed the sandbox is asking for more libraries than what it used to when i had it as Px. I may take it and go back to Px and see if it still complains.

 

It looks good chrono. Very clean and efficient.

Finally I re-did - again - chrome profile, and this time properly spawned and created separate profiles for its sandbox and also for java. I learned it pays to slow down a bit and think some more about what I'm doing As well, I was a bit less generous with the wildcards, resulting in a more secure profile, albeit a little larger, but I think that's ok.

 

Well, I tried your separate profiles, added some rules via aa-logprof in complain mode until no errors were shown anymore. However, as soon as I turn to enforce mode, Chrome wouldn't start, and the KDE system monitor shows chrome-sandbox as a zombie process. Again, going back to complain mode doesn't show any errors.

If I use a unified Chrome profile with

/opt/google/chrome/chrome-sandbox rix,

all is well.

 

Okay, I created new separate profiles for google-chrome, chrome-sandbox and nacl_helper_bootstrap. After adding numerous rules via aa-logprof in the past hour everything seems to run well - also in enforce mode. Funny - why didn't it work the last time I tried?

This confirms my expression that the behaviour of AppArmor (while creating profiles via aa-logprof) is not always predictable. I think it depends on the sequence how the rules are added, and this can cause problems if various profiles are "nested" like in this example.

 

I'm convinced creating rules via aa-logprof only works to a point, then a different approach needs to be taken, such as simply using the syslog with a filter to highlight the apparmor deny entries, then I copy the path names and paste them into the appropriate profile with the required mask. I've found in all cases when I build a profile that aa-logprof eventually "misses" necessary path/mask combinations, but digging through the syslog, although a bit more cumbersome, will uncover all the rest that's needed to complete the profile.

 

I don't think so. The last time when it didn't work for me, there were no errors in syslog, either. So far I haven't found any evidence that aa-logprof doesn't mirror the syslog entries.

 

Well maybe I'm doing something wrong when I create the profile off logprof, but it's consistently the same for me, where eventually logprof doesn't catch everything i need, and I find the necessary entries in syslog. Oh well, at least the desired end result is achieved, especially after I figured out the Px mask

 

One funny thing which I can't explain:

aa-status says:

among them:

/opt/google/chrome/chrome-sandbox
/opt/google/chrome/google-chrome
/opt/google/chrome/nacl_helper_bootstrap

but:

namely:

/opt/google/chrome/chrome-sandbox//null-155
/opt/google/chrome/chrome-sandbox//null-155//null-156
/opt/google/chrome/google-chrome//null-10f
/opt/google/chrome/google-chrome//null-10f//null-110
/opt/google/chrome/google-chrome//null-10f//null-110//null-111
/opt/google/chrome/google-chrome//null-10f//null-110//null-111//null-112
/opt/google/chrome/google-chrome//null-10f//null-113
/opt/google/chrome/google-chrome//null-10f//null-114
/opt/google/chrome/google-chrome//null-10f//null-115
/opt/google/chrome/google-chrome//null-10f//null-116
/opt/google/chrome/google-chrome//null-10f//null-117
/opt/google/chrome/google-chrome//null-10f//null-118
/opt/google/chrome/google-chrome//null-10f//null-119
/opt/google/chrome/google-chrome//null-10f//null-11a
/opt/google/chrome/google-chrome//null-10f//null-11b

... and so forth. Does anybody know why?

 

No. I get those type entries too:

Code:

/usr/bin/xdg-settings//null-33
   /usr/bin/xdg-settings//null-34
   /usr/bin/xdg-settings//null-35
   /usr/bin/xdg-settings//null-36
   /usr/bin/xdg-settings//null-37
   /usr/bin/xdg-settings//null-37//null-38
   /usr/bin/xdg-settings//null-37//null-39
   /usr/bin/xdg-settings//null-37//null-3a
   /usr/bin/xdg-settings//null-37//null-3b
   /usr/bin/xdg-settings//null-37//null-3c
   /usr/bin/xdg-settings//null-37//null-3d
   /usr/bin/xdg-settings//null-37//null-3e
   /usr/bin/xdg-settings//null-37//null-3f
   /usr/bin/xdg-settings//null-37//null-40

 

Yes, very strange. And they are still there even if I restart AppArmor or reload all profiles.

 

You're on KDE, which is probably the reason. I wrote the profile for Unity on Ubtunu 12.04.

I have updated my profile and it works here for me on Unity with no issues. This time I put chrome-sandbox in its own separate profile, which seems to work better. I also made a new profile for the Java (IcedTea) plugin. That profile (for Java) is as restrictive as is humanly possible. I will paste all of the profiles below

opt.google.chrome.chrome (place this in /etc/apparmor.d)

(NOTE: if you don't use an nvidia card, you can remove the "nvidia" abstraction and replace it with your own).

Code:

# Last Modified: Wed Sep 19 08:49:42 2012
#include <tunables/global>
  
/opt/google/chrome/*chrome {
  #include <abstractions/audio>
  #include <abstractions/browser-libs-strict>
  #include <abstractions/browser_openjdk>
  #include <abstractions/cups-client>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/nvidia>    
  #include <abstractions/user-tmp>
  
  # For networking.  Decided not to use abstractions here.  
  network inet stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/resolv.conf r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r, 

  /bin/bash r,
  
  /opt/google/chrome/ r,
  /opt/google/chrome/** m,
  /opt/google/chrome/** rwkl,
  
  /dev/ r,
  /dev/null rw,
  /dev/tty rw,
  /dev/urandom r,
  
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/debian_version r,
  /etc/gnome/defaults.list r,
  /etc/group r,  
  /etc/lsb-release r,
  /etc/localtime r,
  /etc/gai.conf r,
  /etc/mtab r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/passwd r,
  /etc/xdg/xubuntu/applications/defaults.list r,

  /run/shm/*.google** rw,
  /selinux/ r,
  /var/lib/dbus/machine-id r,
  
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.local/share/applications/mimeapps.list** rw,
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.config/ibus/bus/ rw,
  owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
  owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,
  owner @{HOME}/.nvidia/* rw,
  owner @{HOME}/.nv/GLCache/ r,
  owner @{HOME}/.nv/GLCache/** rwk,
  @{HOME}/.Xauthority r,

  # For nautilus so you can browse dirs
  /usr/bin/nautilus rix,

  # To open transmission bit torrent client
  /usr/bin/transmission-gtk rPx,

  @{PROC}/[0-9]*/ r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/cpuinfo r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/*/maps r,
  @{PROC}/stat r,
  @{PROC}/meminfo r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/*/oom_score_adj rw,
  @{PROC}/sys/kernel/shmmax r,
  @{PROC}/*/task/ r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/status r,
   
  
  # Newer chromium needs these now
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/online r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
  /sys/bus/pci/devices/ r,
  
  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
    
  owner @{HOME}/.pki/nssdb/* rwk, 
   
  # For themes
  /usr/share/misc/ r,
  /usr/share/misc/** r,
  /usr/share/glib-2.0/schemas/ r,
  /usr/share/glib-2.0/schemas/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,

  # For timezone info
  /usr/share/zoneinfo/ r,
  /usr/share/zoneinfo/** r,

  /usr/share/X11/locale/ r,
  /usr/share/X11/locale/** r,
  /usr/share/X11/XErrorDB r,

  /tmp/* m,

  # All of these processes have child profiles below
  /bin/mkdir Cxr,
  /bin/which Cxr,
  /bin/readlink Cxr,
  /usr/bin/lsb_release Cxr,
  /usr/bin/xdg-settings Cxr,
  /usr/bin/dirname Cxr,
  /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java Cxr -> browser_openjdk,
  
   # Allow transitions to ourself and our sandbox
  /opt/google/chrome/chrome-sandbox rPx,
  /opt/google/chrome/*chrome ixr,  
  /opt/google/chrome/nacl_helper_bootstrap ixr,    

  
  profile /bin/mkdir {

  /bin/mkdir r,
  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libselinux.so* mr,
  /lib/x86_64-linux-gnu/libc*.so mr,
  /lib/x86_64-linux-gnu/libdl*.so mr,
  /lib/x86_64-linux-gnu/ld*.so mr,
  /proc/filesystems r,
  /usr/lib/locale/locale-archive r,
  }
  
  profile /bin/which {

  /etc/ld.so.cache r,
  /bin/dash r,
  /bin/which r,
  /dev/null rw,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  }

  profile /bin/readlink {

  /bin/readlink r,
  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld*.so mr,
  /usr/lib/locale/locale-archive r,
  }

  profile /usr/bin/dirname {

  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/bin/dirname r,
  /usr/lib/locale/locale-archive r,
  }
  
  profile /usr/bin/lsb_release {

    /etc/ld.so.cache r,
    /etc/lsb-release r,
    /etc/python2.7/sitecustomize.py r,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /lib/x86_64-linux-gnu/libcrypto.so.* mr,
    /lib/x86_64-linux-gnu/libdl-*.so mr,
    /lib/x86_64-linux-gnu/libgcc_s.so.* mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libpthread-*.so mr,
    /lib/x86_64-linux-gnu/libssl.so.* mr,
    /lib/x86_64-linux-gnu/libutil-*.so mr,
    /lib/x86_64-linux-gnu/libz.so.* mr,
    /proc/meminfo r,
    /usr/bin/lsb_release r,
    /usr/bin/python2.7 r,
    /usr/include/python2.7/pyconfig.h r,
    /usr/lib/locale/** r,
    /usr/lib/pymodules/python2.7/.path r,
    /usr/lib/python2.7/** r,
    /usr/local/lib/python2.7/*/ r,
    /usr/share/pyshared/* r,

  }

  
  profile /usr/bin/xdg-settings {

    /bin/dash r,
    /bin/grep rix,
    /bin/mkdir rCx,
    /bin/readlink rCx,
    /bin/sed rix,
    /bin/which rCx,

    /dev/null w,
    /etc/ld.so.cache r,
    /etc/locale.alias r,
    /home/*/.local/share/applications/google-chrome.desktop r,
    /home/*/.local/share/applications/mimeapps.list r,   
    /home/*/.local/share/applications/ r, 
    /proc/*/maps r,
    /proc/filesystems r,

    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/gawk rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-settings r,

    /usr/lib/libsigsegv.so.* mr,
    /usr/lib/locale/** r,   

    /lib/x86_64-linux-gnu/libc-*.so mr, 
    /lib/x86_64-linux-gnu/ld-*.so mr, 
    /lib/x86_64-linux-gnu/libdl*.so mr,
    /lib/x86_64-linux-gnu/libdbus-1.so.* mr,
    /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
    /lib/x86_64-linux-gnu/libselinux.so* mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libpcre.so.* mr,
    /lib/x86_64-linux-gnu/libpthread-*.so mr,
    /lib/x86_64-linux-gnu/libresolv-2.15.so mr,
    /lib/x86_64-linux-gnu/librt-2.15.so mr,
    /lib/x86_64-linux-gnu/libz.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
    /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libffi.so.* mr,
    /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,

  }  

}

opt.google.chrome.chrome-sandbox (also place this in /etc/apparmor.d)

Code:

# Last Modified: Sat Sep 22 10:13:11 2012
#include <tunables/global>

/opt/google/chrome/chrome-sandbox {
  # Be fanatical since it is setuid root and don't use an abstraction
  /lib/libgcc_s.so* mr,
  /lib{,32,64}/libm-*.so* mr,
  /lib/@{multiarch}/libm-*.so* mr,
  /lib{,32,64}/libpthread-*.so* mr,
  /lib/@{multiarch}/libpthread-*.so* mr,
  /lib{,32,64}/libc-*.so* mr,
  /lib/@{multiarch}/libc-*.so* mr,
  /lib{,32,64}/libld-*.so* mr,
  /lib/@{multiarch}/libld-*.so* mr,
  /lib{,32,64}/ld-*.so* mr,
  /lib/@{multiarch}/ld-*.so* mr,
  /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
  /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
  /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
  /usr/lib/libstdc++.so* mr,
  /etc/ld.so.cache r,

  # Required for dropping into PID namespace. Keep in mind that until the
  # process drops this capability it can escape confinement, but once it
  # drops CAP_SYS_ADMIN we are ok.
  capability sys_admin,

  # All of these are for sanely dropping from root and chrooting
  capability chown,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability sys_chroot,

  # *Sigh*
  capability sys_ptrace,

  @{PROC}/ r,
  @{PROC}/[0-9]*/ r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/oom_adj w,
  @{PROC}/[0-9]*/oom_score_adj w,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,

  /opt/google/chrome/*chrome r,
  /opt/google/chrome/*chrome Px,
  /opt/google/chrome/chrome-sandbox r,

  owner /tmp/** rw,
}

Here is the "browser-libs-strict" abstraction. This abstraction includes all the libraries Chrome and Firefox need. Firefox uses a few Chrome doesn't, but most of them overlap. I feel this is safer than using <abstractions/base> which gives the browser access to *all* possible libs. Place this file in /etc/apparmor.d/abstractions

Code:

  # vim:syntax=apparmor

  # These are the libs for Chrome.  I was very strict here.

  /lib/libnss*.so* mr,
  /lib/libiw.so.* mr,
  /lib/libproc-*.so mr,

  /lib/x86_64-linux-gnu/ld*.so mr,
  /lib/x86_64-linux-gnu/libbz2.so* mr,
  /lib/x86_64-linux-gnu/libc**.so mr,
  /lib/x86_64-linux-gnu/libcom_err.so* mr,
  /lib/x86_64-linux-gnu/libcrypto.so.* mr,
  /lib/x86_64-linux-gnu/libdbus*.so* mr,
  /lib/x86_64-linux-gnu/libdl**.so mr,
  /lib/x86_64-linux-gnu/libexpat.so* mr,
  /lib/x86_64-linux-gnu/libgcc_s.so* mr,
  /lib/x86_64-linux-gnu/libgcrypt.so* mr,
  /lib/x86_64-linux-gnu/libglib-*.so.* mr,
  /lib/x86_64-linux-gnu/libgpg-error.so* mr,
  /lib/x86_64-linux-gnu/libkeyutils.so* mr,
  /lib/x86_64-linux-gnu/libm*.so mr,
  /lib/x86_64-linux-gnu/libnsl-*.so mr,
  /lib/x86_64-linux-gnu/libpopt.so.* mr,
  /lib/x86_64-linux-gnu/libpci.so.* mr,
  /lib/x86_64-linux-gnu/libpcre.so* mr,
  /lib/x86_64-linux-gnu/libpng12.so* mr,
  /lib/x86_64-linux-gnu/libpthread*.so mr,
  /lib/x86_64-linux-gnu/libresolv*.so mr,
  /lib/x86_64-linux-gnu/librt-*.so mr,
  /lib/x86_64-linux-gnu/libselinux.so.* mr,
  /lib/x86_64-linux-gnu/libssl.so.* mr,
  /lib/x86_64-linux-gnu/libtinfo.so.* mr,
  /lib/x86_64-linux-gnu/libudev.so* mr,
  /lib/x86_64-linux-gnu/libutil-*.so mr,
  /lib/x86_64-linux-gnu/libuuid.so.* mr,
  /lib/x86_64-linux-gnu/libz.so* mr,
  /lib/x86_64-linux-gnu/libwrap.so* mr,
  /lib/x86_64-linux-gnu/libnss*.so* mr,
    
  /usr/lib/firefox-addons/plugins/ r,
  /usr/lib/xulrunner-addons/plugins/ r,
  /usr/lib/flashplugin-installer/libflashplayer.so mr,
  /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so mr,
  /usr/lib/libdee*.so* mr,
  /usr/lib/libicudata.so.* mr,
  /usr/lib/libicui18n.so.* mr,
  /usr/lib/libicuuc.so.* mr,
  /usr/lib/liboverlay-scrollbar-0.2.so.* mr,
  /usr/lib/libGL.so* mr,
  /usr/lib/libsigsegv.so.* mr,
  /usr/lib/libtotem-plparser-mini.so.* mr,
  /usr/lib/libunity.so.* mr,
  /usr/lib/locale/locale-archive r,
  /usr/lib/mozilla/plugins/ r,
  /usr/lib/mozilla/plugins/*.so mr,
  /usr/lib/pymodules/python2.7/* r,
  /usr/lib/python2.7/config/* r,
  /usr/lib/tls/libnvidia-tls.so* mr,
  /usr/lib/libnvidia*.so* mr,

  #Firefox

  /usr/lib/gtk-3.0/3.0.0/menuproxies/libappmenu.so mr,
  /usr/lib/gtk-3.0/3.0.0/theming-engines/libunico.so mr,
  /usr/lib/libappindicator3.so.* mr,
  /usr/lib/libevent*.so.* mr,
  /usr/lib/libgnome-2.so.* mr,
  /usr/lib/libgnomecanvas-2.so.* mr,
  /usr/lib/libindicator3.so.* mr,
  /usr/lib/liblaunchpad-integration*.so.* mr,
  /usr/lib/libminiupnpc.so.* mr,
  /usr/lib/liboverlay-scrollbar3*.so.* mr,

  #Chrome specific

  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
  /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache r,
  /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader*.so mr,
  /usr/lib/x86_64-linux-gnu/gio/modules/ r,
  /usr/lib/x86_64-linux-gnu/gio/modules/* mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/engines/* mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/gtk.immodules r,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/im-ibus.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so mr,
  /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
  /usr/lib/x86_64-linux-gnu/libICE.so.* mr,
  /usr/lib/x86_64-linux-gnu/libSM.so.* mr,
  /usr/lib/x86_64-linux-gnu/libX** mr,
  /usr/lib/x86_64-linux-gnu/libX*.so* r,
  /usr/lib/x86_64-linux-gnu/libX11.so** mr,
  /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,
  /usr/lib/x86_64-linux-gnu/libasound.so* mr,
  /usr/lib/x86_64-linux-gnu/libatk*.so* mr,
  /usr/lib/x86_64-linux-gnu/libavahi-client.so* mr,
  /usr/lib/x86_64-linux-gnu/libavahi-common.so* mr,
  /usr/lib/x86_64-linux-gnu/libcairo.so* mr,
  /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcups.so* mr,
  /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.* mr,
  /usr/lib/x86_64-linux-gnu/libdbus-glib*.so* mr,
  /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,
  /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,
  /usr/lib/x86_64-linux-gnu/libffi.so* mr,
  /usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
  /usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
  /usr/lib/x86_64-linux-gnu/libgconf*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgdk-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgdk_pixbuf*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgee.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgio*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgmodule*.so* mr,
  /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
  /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgtk-*.so* mr,
  /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,
  /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,
  /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,
  /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,
  /usr/lib/x86_64-linux-gnu/libibus-1.0.so.* mr,
  /usr/lib/x86_64-linux-gnu/libidn.so.* mr,
  /usr/lib/x86_64-linux-gnu/libjson-glib*.so* mr,
  /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
  /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
  /usr/lib/x86_64-linux-gnu/liblber*.so* mr,
  /usr/lib/x86_64-linux-gnu/libldap_r*.so* mr,
  /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
  /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,
  /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
  /usr/lib/x86_64-linux-gnu/libnss3.so mr,  
  /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
  /usr/lib/x86_64-linux-gnu/libogg.so.* mr,
  /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
  /usr/lib/x86_64-linux-gnu/libpango*.so* mr,
  /usr/lib/x86_64-linux-gnu/libpangocairo*.so.* mr,
  /usr/lib/x86_64-linux-gnu/libpixman*.so* mr,
  /usr/lib/x86_64-linux-gnu/libplc4.so mr,
  /usr/lib/x86_64-linux-gnu/libplds4.so mr,
  /usr/lib/x86_64-linux-gnu/libquvi.so.* mr,
  /usr/lib/x86_64-linux-gnu/libroken.so.* mr,
  /usr/lib/x86_64-linux-gnu/librtmp.so.* mr,
  /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
  /usr/lib/x86_64-linux-gnu/libsqlite3.so.* mr,
  /usr/lib/x86_64-linux-gnu/libssl*.so mr,
  /usr/lib/x86_64-linux-gnu/libstartup-notification-1.so.* mr,
  /usr/lib/x86_64-linux-gnu/libstdc** r,
  /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
  /usr/lib/x86_64-linux-gnu/libstdc\+\+.so.* mr,
  /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
  /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
  /usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
  /usr/lib/x86_64-linux-gnu/libvorbisfile.so.* mr,
  /usr/lib/x86_64-linux-gnu/libwind.so.* mr,
  /usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb.so* mr,
  /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
  /usr/lib/x86_64-linux-gnu/nss/libfreebl*.so mr,
  /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so mr,
  /usr/lib/x86_64-linux-gnu/nss/libsoftokn*.so mr,
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/ r,
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules r,  
  /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango*.so mr,
  /usr/lib/x86_64-linux-gnu/librsvg*.so* mr,
  /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module*.so mr,  
  /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
  /usr/lib/x86_64-linux-gnu/libpulsecommon*.so mr,
  /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,
  /usr/lib/x86_64-linux-gnu/libjson.so* mr,
  /usr/lib/x86_64-linux-gnu/libcroco*.so* mr,
  /usr/lib/x86_64-linux-gnu/libsndfile.so* mr,
  /usr/lib/x86_64-linux-gnu/libasyncns.so* mr,
  /usr/lib/x86_64-linux-gnu/libFLAC.so* mr,
  /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,
  /usr/lib/x86_64-linux-gnu/libxcb-util.so* mr,
  /usr/lib/x86_64-linux-gnu/libX*.so* mr,  
  /usr/lib/x86_64-linux-gnu/libX11.so* mr,

  # Firefox specific

  /usr/lib/x86_64-linux-gnu/gconv/UTF-*.so mr,
  /usr/lib/x86_64-linux-gnu/gnome-vfs-2.0/modules/libfile.so r,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache r,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-ibus.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libcanberra-gtk3-module.so mr,
  /usr/lib/x86_64-linux-gnu/libORBit-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libORBitCosNaming-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libart_lgpl_2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libavahi-glib.so.* mr,
  /usr/lib/x86_64-linux-gnu/libbonobo-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libbonobo-activation.so.* mr,
  /usr/lib/x86_64-linux-gnu/libbonoboui-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcairo-gobject.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcanberra-*/libcanberra-pulse.so mr,
  /usr/lib/x86_64-linux-gnu/libcanberra-gtk3.so.* mr,
  /usr/lib/x86_64-linux-gnu/libcurl.so.* mr,
  /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk3.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgailutil.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgnomeui-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libgnomevfs-2.so.* mr,
  /usr/lib/x86_64-linux-gnu/libnotify.so.* mr,
  /usr/lib/x86_64-linux-gnu/libstdc** mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/pango*.so r,

Finally, here is my improved IcedTea java plugin profile. NOTE: you must be using "IcedTea" and not the official Oracle Java for this to work. Also, you must be using Openjdk version 7. If you use version 6, you will have to modify the profile accordingly. This profile will work with either Firefox or Chrome. Place this file in /etc/apparmor.d/abstractions

browser_openjdk

Code:

# vim:syntax=apparmor

  owner @{HOME}/.java/deployment/deployment.properties k,  

  /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/ r,
  /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/IcedTeaPlugin.so mr,  
    
  /usr/lib/jvm/java-7-openjdk-*/jre/bin/java rCx -> browser_openjdk,

  profile browser_openjdk {
    #include <abstractions/browser-libs-strict>
    #include <abstractions/private-files-strict>

    network inet stream,
    network inet dgram,
    network inet6 stream,

    /usr/lib/jvm/java-7-openjdk-*/jre/lib/ r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/** r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*.so mr,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*/*.so mr,
        
    /usr/lib/jvm/java-7-openjdk-*/jre/bin/java r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/jvm.cfg-default r,

    /usr/lib/*-linux-gnu/jni/libatk-wrapper.so.* mr,
    /usr/lib/*-linux-gnu/gconv/SJIS.so mr,

    deny /usr/bin/gconftool-2 x,
    deny /anon_hugepage//deleted r,

    /etc/fonts/fonts.conf r,
    /etc/fonts/conf.d/ r,
    /etc/fonts/conf.d/** r,
    /etc/fonts/conf.avail/ r,
    /etc/fonts/conf.avail/** r,
    /etc/hosts r,
    /etc/host.conf r,
    /etc/ssl/certs/java/cacerts r,
    /etc/java-7-openjdk/ r,
    /etc/java-7-openjdk/** r,    
    /etc/locale.alias r,
    /etc/localtime r,
    /etc/lsb-release r,
    /etc/ld.so.cache r,    
    /etc/nsswitch.conf r,
    /etc/resolv.conf r,
    /etc/passwd r,
    /etc/timezone r,

    /dev/{,u}random r,
    

    /home/ r,
    /home/*/ r,
    /home/*/.cache/dconf/user rw,
    /home/*/.config/dconf/user r,
    /home/*/.config/ibus/bus/ w,
    /home/*/.fontconfig/ r,
    /home/*/.fontconfig/** r,
    /home/*/.fonts/ r,
    /home/*/.fonts/** r,
    /home/*/.java/fonts/ r,
    /home/*/.java/fonts/** rw,
    /home/*/.mozilla/firefox/profiles.ini r,
    /home/*/.icedtea/ r,
    /home/*/.icedtea/** r,
    /home/*/.icedtea/cache/** rwk,
    /home/*/.Xauthority r,

    /opt/google/chrome/ r,

    /proc/[0-9]*/ r,
    /proc/[0-9]*/cmdline r,
    /proc/filesystems r,
    /proc/stat r,
    /proc/[0-9]*/coredump_filter rw,
    /proc/cpuinfo r,
    /proc/[0-9]*/maps r,
    /proc/[0-9]*/net/if_inet6 r,
    /proc/[0-9]*/net/ipv6_route r,
    /proc/meminfo r,

    /usr/share/glib-2.0/schemas/gschemas.compiled r,

    /usr/share/icedtea-web/ r,
    /usr/share/icedtea-web/** r,
    /usr/share/java/ r,
    /usr/share/java/** r,

    # For fonts, icons, themes, etc.  No abstractions here
    /usr/share/fonts/ r,
    /usr/share/fonts/** r,
    /usr/share/texmf/fonts/ r,
    /usr/share/texmf/fonts/** r,
    /usr/share/icons/ r,
    /usr/share/icons/** r,
    /usr/share/themes/ r,
    /usr/share/themes/** r,

    /usr/share/X11/locale/locale.* r,
    /usr/share/X11/locale/*.dir r,
    /usr/share/X11/locale/en_US.UTF-8/ r,
    /usr/share/X11/locale/en_US.UTF-8/** r,

    /usr/share/javazi r,
    /usr/share/javazi/** r,
    /usr/share/zoneinfo/ r,
    /usr/share/zoneinfo/** r,

   # /tmp stuff.  Again no abstractions
    /tmp/ r,
    /tmp/*/ rw,
    /tmp/*/** rw,
    /var/tmp/ r,
    /tmp/hsperfdata_*/ rw,
    /tmp/hsperfdata_*/** rw,
    
    /tmp/icedteaplugin-*/* r,
    /tmp/icedteaplugin-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
    /tmp/*/netx/locks/netx_running rwk,
    
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/online r,

    /var/cache/fontconfig/ rw,
    /var/cache/fontconfig/** rw,

    /var/lib/dbus/machine-id r,

    /usr/lib/jvm/java-7-openjdk-*/bin/java ix,    

}

That's it. So you have 4 files:

opt.google.chrome.chrome ---> /etc/apparmor.d
opt.google.chrome.chrome-sandbox ----> /etc/apparmor.d
browser-libs-strict ---> /etc/apparmor.d/abstractions
browser_openjdk ---> /etc/apparmor.d/abstractions

Try them out and let me know how they work. At the very least use the OpenJDK profile. You can place it in the #include section of the abstractions in your own browser profiles. (You will also need the "browser-libs-strict" abstraction for the openjdk profile to work).

 

Well, I had added rules via aa-logprof that should have covered KDE. But anyway, as mentioned in post #161, I ceated new profiles and they work as they should.

 

No worry I noticed that the syslog entries regarding null profiles were several hours old. After rebooting my system they are gone. So this might be an AppArmor bug that old null profiles are not always properly cleaned up.

 

If you delete the files or save new versions it might leave a backup file int he folder. You can view it with ctrl + H. This can mess apparmor up but it's not an apparmor bug, it's probably gedit or whatever text editor you've used.

------

My profile is somewhat specific to me as I only added the libs that I use. I don't have cupsd installed and I don't use certain things. We also use different desktop environments so different libs are required.

Just a tip:

aa-complain/enforce (Whichever)
open program
aa-logprof
aa-complain/enforce
open program

etc

Reloading in between is what helps.

Why not just replace the 7's with *'s. That way when it hits Java 8 you won't have a ton of old rules.

 

Sure, but - as mentioned - I didn't use it unchanged but added numerous rules via aa-logprof.

That's what I'm doing. But it doesn't always help. Example: I got no sound in Chrome from videos on, e.g., youtube. Neither aa-logprof nor /var/log/messages showed any errors. After a reboot things looked different: Now aa-logprof showed that the pulseaudio profile required read access to /home/*/.Xauthority. Again, only after the reboot (I had added /usr/bin/pulseaudio Px, to my Chrome profile). This is an example why it's not always that easy.

 

Ah, I see. I've had issues like that before where only a reboot solved it. Such is life I suppose.

Still a hell of a lot easier than SELinux haha

 

Too lazy.

 

Eventually this is the approach I've adopted:

• aa-genprof <program name>
• open program
• Scan and add suggestions
• edit profile, finish (program is now enforced with a very basic profile)
• sudo apparmor_parser -r /etc/apparmor.d/<profile name> (reloads profile)
• open program (usually won't open yet because profile is incomplete)
• aa-logprof and add suggestions
• Finish
• repeat steps 4-8

After a few repeats of aa-logprof I then check the syslogs for "Apparmor Denied" path names that might need to be addressed. After reading about tlu rebooting and you confirming this, I will probably have to do the same.