Anyone using Apparmor?

Discussion in 'all things UNIX' started by Hungry Man, Mar 11, 2012.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Oops, but I didn't know. :argh: Very comprehensive I must say. :thumb:
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yeah I am about to go over there and make some updates to the profile.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Cool! I was reading that thread mere minutes ago before finding this out now :thumb: One thing I won't do, though, is copy/paste yours or someone else's profiles, otherwise I'll never learn ;) I re-did another Chrome profile last night but I'm still not satisfied with it. It works, but I screwed up the relation between it and the Sandbox profile, so back to the drawing board later today.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It takes some practice. It's mostly about knowing when you should inherit, child, or profile. it's not that hard, just never profile the 'big' ones like wget or dash, child them or inherit them.

    And never inherit something that'll be using separate files than what's in the profile. So you inherit wget because it'll just be used on files taht the program can already access but you child xdg-settings because it's goin to be launched to do other stuff.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Thanks! I started with the sandbox profile first, and all was going fine until it generated a chrome-browser profile when I used a Px entry, then I somehow inadvertantly added sandbox paths to the chrome profile, when I think they should have been added to the sandbox profile o_O I think I know what I need to do now, however, so it doesn't happen again :)
     
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Ok so i spent a while profiling Google Chrome. I decided to make a child profile for every process Chrome called. I also was careful not to use any abstractions, except for a few in the main profile which are safe.

    I also made my own abstraction for chrome-libs-strict. These are the libraries chrome needs. I decided to put it into another file because it was so large.

    Here is the profile. It's big.

    Code:
    # Last Modified: Wed Sep 19 08:49:42 2012
    #include <tunables/global>
      
    /opt/google/chrome/*chrome {
      #include <abstractions/audio>
      #include <abstractions/chrome-libs-strict>
      #include <abstractions/cups-client>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/nvidia>  
      #include <abstractions/ubuntu-browsers.d/java>
      #include <abstractions/user-tmp>
      
      # For networking.  Decided not to use abstractions here.  
      network inet stream,
      network inet6 stream,
      network inet  dgram,
      network inet6 dgram,
      /etc/host.conf r,
      /etc/hosts r,
      /etc/nsswitch.conf r,
      /etc/resolv.conf r,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r, 
    
      /bin/bash r,
      
      /opt/google/chrome/ r,
      /opt/google/chrome/** m,
      /opt/google/chrome/** rwkl,
      
      /dev/ r,
      /dev/null rw,
      /dev/tty rw,
      /dev/urandom r,
      
      /etc/ld.so.cache r,
      /etc/locale.alias r,
      /etc/debian_version r,
      /etc/gnome/defaults.list r,
      /etc/group r,  
      /etc/lsb-release r,
      /etc/localtime r,
      /etc/gai.conf r,
      /etc/mtab r,
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/passwd r,
      /etc/xdg/xubuntu/applications/defaults.list r,
    
      /run/shm/*.google** rw,
      /selinux/ r,
      /var/lib/dbus/machine-id r,
      
      owner @{HOME}/.config/google-chrome/ r,
      owner @{HOME}/.config/google-chrome/** rwkl,
      owner @{HOME}/.cache/dconf/user rw,
      owner @{HOME}/.config/dconf/user r,
      owner @{HOME}/.local/share/applications/mimeapps.list** rw,
      owner @{HOME}/.config/google-chrome/ r,
      owner @{HOME}/.config/google-chrome/** rwkl,
      owner @{HOME}/.config/ibus/bus/ rw,
      owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
      owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,
      owner @{HOME}/.nvidia/* rw,
      owner @{HOME}/.nv/GLCache/ r,
      owner @{HOME}/.nv/GLCache/** rwk,
      @{HOME}/.Xauthority r,
    
      # For nautilus so you can browse dirs
      /usr/bin/nautilus rix,
    
      # To Open transmission bit torrent client (NOTE: I have a separate profile for it).
      /usr/bin/transmission-gtk rPx,
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/cpuinfo r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/*/maps r,
      @{PROC}/stat r,
      @{PROC}/meminfo r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      @{PROC}/*/oom_score_adj rw,
      @{PROC}/sys/kernel/shmmax r,
      @{PROC}/*/task/ r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      owner @{PROC}/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/status r,
       
      
      # Newer chromium needs these now
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
      /sys/devices/system/cpu/online r,
      /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
      /sys/bus/pci/devices/ r,
      
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
        
      owner @{HOME}/.pki/nssdb/* rwk, 
       
      # For themes
      /usr/share/misc/ r,
      /usr/share/misc/** r,
      /usr/share/glib-2.0/schemas/ r,
      /usr/share/glib-2.0/schemas/** r,
      /usr/share/themes/ r,
      /usr/share/themes/** r,
    
      # For timezone info
      /usr/share/zoneinfo/ r,
      /usr/share/zoneinfo/** r,
    
      # For locale stuff
      /usr/share/X11/locale/ r,
      /usr/share/X11/locale/** r,
      /usr/share/X11/XErrorDB r,
    
      /tmp/* m,
    
      # All of these processes have child profiles below
      /bin/mkdir cxr,
      /bin/which cxr,
      /bin/readlink cxr,
      /usr/bin/lsb_release cxr,
      /usr/bin/xdg-settings cxr,
      /usr/bin/dirname cxr,
      
       # Allow transitions to ourself and our sandbox
      /opt/google/chrome/chrome-sandbox cx -> chrome_sandbox,
      /opt/google/chrome/*chrome ixr,  
      /opt/google/chrome/nacl_helper_bootstrap ixr,    
    
      
      profile /bin/mkdir {
    
      /bin/mkdir r,
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libselinux.so* mr,
      /lib/x86_64-linux-gnu/libc*.so mr,
      /lib/x86_64-linux-gnu/libdl*.so mr,
      /lib/x86_64-linux-gnu/ld*.so mr,
      /proc/filesystems r,
      /usr/lib/locale/locale-archive r,
      }
      
      profile /bin/which {
    
      /etc/ld.so.cache r,
      /bin/dash r,
      /bin/which r,
      /dev/null rw,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld-*.so mr,
      }
    
      profile /bin/readlink {
    
      /bin/readlink r,
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld*.so mr,
      /usr/lib/locale/locale-archive r,
      }
    
      profile /usr/bin/dirname {
    
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld-*.so mr,
      /usr/bin/dirname r,
      /usr/lib/locale/locale-archive r,
      }
      
      profile /usr/bin/lsb_release {
    
        /etc/ld.so.cache r,
        /etc/lsb-release r,
        /etc/python2.7/sitecustomize.py r,
        /lib/x86_64-linux-gnu/ld-*.so r,
        /lib/x86_64-linux-gnu/libc-*.so mr,
        /lib/x86_64-linux-gnu/libcrypto.so.* mr,
        /lib/x86_64-linux-gnu/libdl-*.so mr,
        /lib/x86_64-linux-gnu/libgcc_s.so.* mr,
        /lib/x86_64-linux-gnu/libm-*.so mr,
        /lib/x86_64-linux-gnu/libpthread-*.so mr,
        /lib/x86_64-linux-gnu/libssl.so.* mr,
        /lib/x86_64-linux-gnu/libutil-*.so mr,
        /lib/x86_64-linux-gnu/libz.so.* mr,
        /proc/meminfo r,
        /usr/bin/lsb_release r,
        /usr/bin/python2.7 r,
        /usr/include/python2.7/pyconfig.h r,
        /usr/lib/locale/** r,
        /usr/lib/pymodules/python2.7/.path r,
        /usr/lib/python2.7/** r,
        /usr/local/lib/python2.7/*/ r,
        /usr/share/pyshared/* r,
    
      }
    
      profile /usr/bin/xdg-settings {
    
        /bin/dash r,
        /bin/grep rix,
        /bin/readlink rix,
        /bin/sed rix,
        /bin/which rix,
        /etc/ld.so.cache r,
        /home/*/.local/share/applications/google-chrome.desktop r,
        /home/*/.local/share/applications/mimeapps.list r,
        /lib/x86_64-linux-gnu/ld-*.so r,
        /lib/x86_64-linux-gnu/libc-*.so mr,
        /lib/x86_64-linux-gnu/libdbus-1.so.* mr,
        /lib/x86_64-linux-gnu/libdl-*.so mr,
        /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
        /lib/x86_64-linux-gnu/libm-*.so mr,
        /lib/x86_64-linux-gnu/libpcre.so.* mr,
        /lib/x86_64-linux-gnu/libpthread-*.so mr,
        /lib/x86_64-linux-gnu/libresolv-*.so mr,
        /lib/x86_64-linux-gnu/librt-*.so mr,
        /lib/x86_64-linux-gnu/libselinux.so.* mr,
        /lib/x86_64-linux-gnu/libz.so.* mr,
        /proc/*/maps r,
        /proc/filesystems r,
        /usr/bin/basename rix,
        /usr/bin/cut rix,
        /usr/bin/gawk rix,
        /usr/bin/gconftool-2 rix,
        /usr/bin/xdg-mime rix,
        /usr/bin/xdg-settings r,
        /usr/lib/libsigsegv.so.* mr,
        /usr/lib/locale/** r,
        /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
        /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
        /usr/lib/x86_64-linux-gnu/libffi.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
    
      }
    
      profile chrome_sandbox {
        # Be fanatical since it is setuid root and don't use an abstraction
      /lib/libgcc_s.so* mr,
      /lib{,32,64}/libm-*.so* mr,
      /lib/@{multiarch}/libm-*.so* mr,
      /lib{,32,64}/libpthread-*.so* mr,
      /lib/@{multiarch}/libpthread-*.so* mr,
      /lib{,32,64}/libc-*.so* mr,
      /lib/@{multiarch}/libc-*.so* mr,
      /lib{,32,64}/libld-*.so* mr,
      /lib/@{multiarch}/libld-*.so* mr,
      /lib{,32,64}/ld-*.so* mr,
      /lib/@{multiarch}/ld-*.so* mr,  
    
      /lib/x86_64-linux-gnu/ld-*.so mr,
      /lib/x86_64-linux-gnu/libcom_err.so* mr,
      /lib/x86_64-linux-gnu/libexpat.so* mr,
      /lib/x86_64-linux-gnu/librt*.so mr,
      /lib/x86_64-linux-gnu/libdl*.so mr,
      /lib/x86_64-linux-gnu/libgcc_s.so* mr,
      /lib/x86_64-linux-gnu/libglib-*.so.* mr,
      /lib/x86_64-linux-gnu/libgcrypt.so.* mr,
      /lib/x86_64-linux-gnu/libgpg-error.so* mr,
      /lib/x86_64-linux-gnu/libkeyutils.so* mr,
      /lib/x86_64-linux-gnu/libz.so.* mr,
      /lib/x86_64-linux-gnu/libdbus-*.so* mr,
      /lib/x86_64-linux-gnu/libudev.so* mr,
      /lib/x86_64-linux-gnu/libbz2.so* mr,
      /lib/x86_64-linux-gnu/libpcre.so* mr,
      /lib/x86_64-linux-gnu/libpng12.so* mr,
      /lib/x86_64-linux-gnu/libresolv*.so* mr,
      /lib/x86_64-linux-gnu/libselinux.so* mr,
      /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
      /usr/lib/x86_64-linux-gnu/libavahi**.so* mr,
      /usr/lib/x86_64-linux-gnu/libasound.so* mr,
      /usr/lib/x86_64-linux-gnu/libatk-*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcairo.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcups.so* mr,
      /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so* mr,
      /usr/lib/x86_64-linux-gnu/libffi.so* mr,
      /usr/lib/x86_64-linux-gnu/libfontconfig.so.* mr,
      /usr/lib/x86_64-linux-gnu/libfreetype.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgdk-x11-*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
      /usr/lib/x86_64-linux-gnu/libgobject*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgio-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgmodule-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libgthread*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgtk-x11-*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libnss3.so mr,
      /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
      /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
      /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
      /usr/lib/x86_64-linux-gnu/libpango**.so* mr,
      /usr/lib/x86_64-linux-gnu/libplc4.so mr,
      /usr/lib/x86_64-linux-gnu/libplds4.so mr,
      /usr/lib/x86_64-linux-gnu/libpixman-1.so* mr,  
      /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
      /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr, 
      /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
      /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb**.so* mr,
      /usr/lib/x86_64-linux-gnu/libX**.so** mr,    
      /usr/lib/x86_64-linux-gnu/libgconf-*.so* mr,  
      /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so mr,
      /usr/lib/x86_64-linux-gnu/nss/libfreebl3.so mr,
       
      /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
      /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
      /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
      /usr/lib/libstdc++.so* mr,  
    
      /etc/ld.so.cache r,
    
      /usr/share/fonts/ r,
      /usr/share/fonts/** r,
      /usr/share/zoneinfo/ r,
      /usr/share/zoneinfo/** r,
    
    
      # Required for dropping into PID namespace. Keep in mind that until the
      # process drops this capability it can escape confinement, but once it
      # drops CAP_SYS_ADMIN we are ok.
      capability sys_admin,
    
      # All of these are for sanely dropping from root and chrooting
      capability chown,
      capability fsetid,
      capability setgid,
      capability setuid,
      capability dac_override,
      capability sys_chroot,
    
      # *Sigh*
      capability sys_ptrace,
    
      @{PROC}/ r,
      /proc/[0-9]*/ r,
      @{PROC}/[0-9]*/proc/cpuinfo/ r,
      @{PROC}/[0-9]*/fd/ r,
      /proc/*/maps r,
      @{PROC}/[0-9]*/oom_adj w,
      @{PROC}/[0-9]*/oom_score_adj w,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      /proc/filesystems r,
      /proc/cpuinfo r,  
      /proc/*/status r,
      /proc/sys/kernel/shmmax r,
      
    
      /etc/locale.alias r,
      /etc/localtime r,
    
      /dev/null r,
      /dev/urandom r,
    
      /run/shm/.com.google** r,
      /run/shm/.com.google** rw,
    
      /usr/lib/locale/locale-archive r,
    
      /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
    
      /home/*/.config/google-chrome/Default/databases/ r,
      /home/*/.config/google-chrome/Default/databases/** rwkl,
    
      /opt/google/chrome/ r,
      /opt/google/chrome/** r,
      /opt/google/chrome/** m,
      /opt/google/chrome/*chrome ix,
      /opt/google/chrome/nacl_helper_bootstrap ix,
      /opt/google/chrome/chrome-sandbox r,
    
      owner /tmp/** rw,
      }
    
    }
    Here's the chrome-libs-strict abstraction. Place this file in /etc/apparmor.d/abstractions.

    Code:
    # vim:syntax=apparmor
    
      # These are the libs for Chrome.  I was very strict here.
    
      /lib/libnss*.so* mr,
    
      /lib/x86_64-linux-gnu/ld*.so mr,
      /lib/x86_64-linux-gnu/libbz2.so* mr,
      /lib/x86_64-linux-gnu/libc**.so mr,
      /lib/x86_64-linux-gnu/libcom_err.so* mr,
      /lib/x86_64-linux-gnu/libcrypto.so.* mr,
      /lib/x86_64-linux-gnu/libdbus*.so* mr,
      /lib/x86_64-linux-gnu/libdl**.so mr,
      /lib/x86_64-linux-gnu/libexpat.so* mr,
      /lib/x86_64-linux-gnu/libgcc_s.so* mr,
      /lib/x86_64-linux-gnu/libgcrypt.so* mr,
      /lib/x86_64-linux-gnu/libglib-*.so.* mr,
      /lib/x86_64-linux-gnu/libgpg-error.so* mr,
      /lib/x86_64-linux-gnu/libkeyutils.so* mr,
      /lib/x86_64-linux-gnu/libm*.so mr,
      /lib/x86_64-linux-gnu/libnsl-*.so mr,
      /lib/x86_64-linux-gnu/libpci.so.* mr,
      /lib/x86_64-linux-gnu/libpcre.so* mr,
      /lib/x86_64-linux-gnu/libpng12.so* mr,
      /lib/x86_64-linux-gnu/libpthread*.so mr,
      /lib/x86_64-linux-gnu/libresolv*.so mr,
      /lib/x86_64-linux-gnu/librt-*.so mr,
      /lib/x86_64-linux-gnu/libselinux.so.* mr,
      /lib/x86_64-linux-gnu/libssl.so.* mr,
      /lib/x86_64-linux-gnu/libtinfo.so.* mr,
      /lib/x86_64-linux-gnu/libudev.so* mr,
      /lib/x86_64-linux-gnu/libutil-*.so mr,
      /lib/x86_64-linux-gnu/libuuid.so.* mr,
      /lib/x86_64-linux-gnu/libz.so* mr,
      /lib/x86_64-linux-gnu/libwrap.so* mr,
      /lib/x86_64-linux-gnu/libnss*.so* mr,
        
      /usr/lib/firefox-addons/plugins/ r,
      /usr/lib/xulrunner-addons/plugins/ r,
      /usr/lib/flashplugin-installer/libflashplayer.so mr,
      /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so mr,
      /usr/lib/libdee*.so* mr,
      /usr/lib/libicudata.so.* mr,
      /usr/lib/libicui18n.so.* mr,
      /usr/lib/libicuuc.so.* mr,
      /usr/lib/liboverlay-scrollbar-0.2.so.* mr,
      /usr/lib/libGL.so* mr,
      /usr/lib/libsigsegv.so.* mr,
      /usr/lib/libtotem-plparser-mini.so.* mr,
      /usr/lib/libunity.so.* mr,
      /usr/lib/locale/locale-archive r,
      /usr/lib/mozilla/plugins/ r,
      /usr/lib/mozilla/plugins/*.so mr,
      /usr/lib/pymodules/python2.7/* r,
      /usr/lib/python2.7/config/* r,
      /usr/lib/tls/libnvidia-tls.so* mr,
      /usr/lib/libnvidia*.so* mr,
        
      /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
      /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
      /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache r,
      /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so mr,
      /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so mr,
      /usr/lib/x86_64-linux-gnu/gio/modules/ r,
      /usr/lib/x86_64-linux-gnu/gio/modules/* mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/* mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules r,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/immodules/im-ibus.so mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so mr,
      /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
      /usr/lib/x86_64-linux-gnu/libICE.so.* mr,
      /usr/lib/x86_64-linux-gnu/libSM.so.* mr,
      /usr/lib/x86_64-linux-gnu/libX** mr,
      /usr/lib/x86_64-linux-gnu/libX*.so* r,
      /usr/lib/x86_64-linux-gnu/libX11.so** mr,
      /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,
      /usr/lib/x86_64-linux-gnu/libasound.so* mr,
      /usr/lib/x86_64-linux-gnu/libatk*.so* mr,
      /usr/lib/x86_64-linux-gnu/libavahi-client.so* mr,
      /usr/lib/x86_64-linux-gnu/libavahi-common.so* mr,
      /usr/lib/x86_64-linux-gnu/libcairo.so* mr,
      /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcups.so* mr,
      /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.* mr,
      /usr/lib/x86_64-linux-gnu/libdbus-glib*.so* mr,
      /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,
      /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,
      /usr/lib/x86_64-linux-gnu/libffi.so* mr,
      /usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
      /usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
      /usr/lib/x86_64-linux-gnu/libgconf*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgdk-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgdk_pixbuf*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgee.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgio*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgmodule*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
      /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgtk-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,
      /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,
      /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,
      /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,
      /usr/lib/x86_64-linux-gnu/libibus-1.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libidn.so.* mr,
      /usr/lib/x86_64-linux-gnu/libjson-glib*.so* mr,
      /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
      /usr/lib/x86_64-linux-gnu/liblber*.so* mr,
      /usr/lib/x86_64-linux-gnu/libldap_r*.so* mr,
      /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
      /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,
      /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
      /usr/lib/x86_64-linux-gnu/libnss3.so mr,  
      /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
      /usr/lib/x86_64-linux-gnu/libogg.so.* mr,
      /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
      /usr/lib/x86_64-linux-gnu/libpango*.so* mr,
      /usr/lib/x86_64-linux-gnu/libpangocairo*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libpixman*.so* mr,
      /usr/lib/x86_64-linux-gnu/libplc4.so mr,
      /usr/lib/x86_64-linux-gnu/libplds4.so mr,
      /usr/lib/x86_64-linux-gnu/libquvi.so.* mr,
      /usr/lib/x86_64-linux-gnu/libroken.so.* mr,
      /usr/lib/x86_64-linux-gnu/librtmp.so.* mr,
      /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
      /usr/lib/x86_64-linux-gnu/libsqlite3.so.* mr,
      /usr/lib/x86_64-linux-gnu/libssl*.so mr,
      /usr/lib/x86_64-linux-gnu/libstdc** r,
      /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
      /usr/lib/x86_64-linux-gnu/libstdc\+\+.so.* mr,
      /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
      /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
      /usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
      /usr/lib/x86_64-linux-gnu/libvorbisfile.so.* mr,
      /usr/lib/x86_64-linux-gnu/libwind.so.* mr,
      /usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb.so* mr,
      /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
      /usr/lib/x86_64-linux-gnu/nss/libfreebl*.so mr,
      /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so mr,
      /usr/lib/x86_64-linux-gnu/nss/libsoftokn*.so mr,
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/ r,
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules r,  
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so mr,
      /usr/lib/x86_64-linux-gnu/librsvg*.so* mr,
      /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module*.so mr,  
      /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
      /usr/lib/x86_64-linux-gnu/libpulsecommon*.so mr,
      /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,
      /usr/lib/x86_64-linux-gnu/libjson.so* mr,
      /usr/lib/x86_64-linux-gnu/libcroco*.so* mr,
      /usr/lib/x86_64-linux-gnu/libsndfile.so* mr,
      /usr/lib/x86_64-linux-gnu/libasyncns.so* mr,
      /usr/lib/x86_64-linux-gnu/libFLAC.so* mr,
      /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,
      /usr/lib/x86_64-linux-gnu/libX*.so* mr,  
      /usr/lib/x86_64-linux-gnu/libX11.so* mr,
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nice. The one thing I'd say is that the Sandbox might not behave properly as a Child. I would launch that is Px. Otherwise that's a good idea to use Cx like that.
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yeah I have noticed the sandbox is asking for more libraries than what it used to when i had it as Px. I may take it and go back to Px and see if it still complains.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    It looks good chrono. Very clean and efficient.

    Finally I re-did - again - chrome profile, and this time properly spawned and created separate profiles for its sandbox and also for java. I learned it pays to slow down a bit and think some more about what I'm doing :) As well, I was a bit less generous with the wildcards, resulting in a more secure profile, albeit a little larger, but I think that's ok.
     
  10. tlu

    tlu Guest

    Well, I tried your separate profiles, added some rules via aa-logprof in complain mode until no errors were shown anymore. However, as soon as I turn to enforce mode, Chrome wouldn't start, and the KDE system monitor shows chrome-sandbox as a zombie process. Again, going back to complain mode doesn't show any errors.

    If I use a unified Chrome profile with

    /opt/google/chrome/chrome-sandbox rix,

    all is well.
     
  11. tlu

    tlu Guest

    Okay, I created new separate profiles for google-chrome, chrome-sandbox and nacl_helper_bootstrap. After adding numerous rules via aa-logprof in the past hour everything seems to run well - also in enforce mode. Funny - why didn't it work the last time I tried?

    This confirms my expression that the behaviour of AppArmor (while creating profiles via aa-logprof) is not always predictable. I think it depends on the sequence how the rules are added, and this can cause problems if various profiles are "nested" like in this example.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    I'm convinced creating rules via aa-logprof only works to a point, then a different approach needs to be taken, such as simply using the syslog with a filter to highlight the apparmor deny entries, then I copy the path names and paste them into the appropriate profile with the required mask. I've found in all cases when I build a profile that aa-logprof eventually "misses" necessary path/mask combinations, but digging through the syslog, although a bit more cumbersome, will uncover all the rest that's needed to complete the profile.
     
  13. tlu

    tlu Guest

    I don't think so. The last time when it didn't work for me, there were no errors in syslog, either. So far I haven't found any evidence that aa-logprof doesn't mirror the syslog entries.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Well maybe I'm doing something wrong when I create the profile off logprof, but it's consistently the same for me, where eventually logprof doesn't catch everything i need, and I find the necessary entries in syslog. Oh well, at least the desired end result is achieved, especially after I figured out the Px mask :)
     
  15. tlu

    tlu Guest

    One funny thing which I can't explain:

    aa-status says:

    among them:

    /opt/google/chrome/chrome-sandbox
    /opt/google/chrome/google-chrome
    /opt/google/chrome/nacl_helper_bootstrap

    but:
    namely:

    /opt/google/chrome/chrome-sandbox//null-155
    /opt/google/chrome/chrome-sandbox//null-155//null-156
    /opt/google/chrome/google-chrome//null-10f
    /opt/google/chrome/google-chrome//null-10f//null-110
    /opt/google/chrome/google-chrome//null-10f//null-110//null-111
    /opt/google/chrome/google-chrome//null-10f//null-110//null-111//null-112
    /opt/google/chrome/google-chrome//null-10f//null-113
    /opt/google/chrome/google-chrome//null-10f//null-114
    /opt/google/chrome/google-chrome//null-10f//null-115
    /opt/google/chrome/google-chrome//null-10f//null-116
    /opt/google/chrome/google-chrome//null-10f//null-117
    /opt/google/chrome/google-chrome//null-10f//null-118
    /opt/google/chrome/google-chrome//null-10f//null-119
    /opt/google/chrome/google-chrome//null-10f//null-11a
    /opt/google/chrome/google-chrome//null-10f//null-11b

    ... and so forth. Does anybody know why?
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    No. I get those type entries too:

    Code:
    /usr/bin/xdg-settings//null-33
       /usr/bin/xdg-settings//null-34
       /usr/bin/xdg-settings//null-35
       /usr/bin/xdg-settings//null-36
       /usr/bin/xdg-settings//null-37
       /usr/bin/xdg-settings//null-37//null-38
       /usr/bin/xdg-settings//null-37//null-39
       /usr/bin/xdg-settings//null-37//null-3a
       /usr/bin/xdg-settings//null-37//null-3b
       /usr/bin/xdg-settings//null-37//null-3c
       /usr/bin/xdg-settings//null-37//null-3d
       /usr/bin/xdg-settings//null-37//null-3e
       /usr/bin/xdg-settings//null-37//null-3f
       /usr/bin/xdg-settings//null-37//null-40
    
     
  17. tlu

    tlu Guest

    Yes, very strange. And they are still there even if I restart AppArmor or reload all profiles.
     
  18. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343

    You're on KDE, which is probably the reason. I wrote the profile for Unity on Ubtunu 12.04.

    I have updated my profile and it works here for me on Unity with no issues. This time I put chrome-sandbox in its own separate profile, which seems to work better. I also made a new profile for the Java (IcedTea) plugin. That profile (for Java) is as restrictive as is humanly possible. I will paste all of the profiles below

    opt.google.chrome.chrome (place this in /etc/apparmor.d)

    (NOTE: if you don't use an nvidia card, you can remove the "nvidia" abstraction and replace it with your own).

    Code:
    # Last Modified: Wed Sep 19 08:49:42 2012
    #include <tunables/global>
      
    /opt/google/chrome/*chrome {
      #include <abstractions/audio>
      #include <abstractions/browser-libs-strict>
      #include <abstractions/browser_openjdk>
      #include <abstractions/cups-client>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/nvidia>    
      #include <abstractions/user-tmp>
      
      # For networking.  Decided not to use abstractions here.  
      network inet stream,
      network inet6 stream,
      network inet  dgram,
      network inet6 dgram,
      /etc/host.conf r,
      /etc/hosts r,
      /etc/nsswitch.conf r,
      /etc/resolv.conf r,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r, 
    
      /bin/bash r,
      
      /opt/google/chrome/ r,
      /opt/google/chrome/** m,
      /opt/google/chrome/** rwkl,
      
      /dev/ r,
      /dev/null rw,
      /dev/tty rw,
      /dev/urandom r,
      
      /etc/ld.so.cache r,
      /etc/locale.alias r,
      /etc/debian_version r,
      /etc/gnome/defaults.list r,
      /etc/group r,  
      /etc/lsb-release r,
      /etc/localtime r,
      /etc/gai.conf r,
      /etc/mtab r,
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/passwd r,
      /etc/xdg/xubuntu/applications/defaults.list r,
    
      /run/shm/*.google** rw,
      /selinux/ r,
      /var/lib/dbus/machine-id r,
      
      owner @{HOME}/.config/google-chrome/ r,
      owner @{HOME}/.config/google-chrome/** rwkl,
      owner @{HOME}/.cache/dconf/user rw,
      owner @{HOME}/.config/dconf/user r,
      owner @{HOME}/.local/share/applications/mimeapps.list** rw,
      owner @{HOME}/.config/google-chrome/ r,
      owner @{HOME}/.config/google-chrome/** rwkl,
      owner @{HOME}/.config/ibus/bus/ rw,
      owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
      owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,
      owner @{HOME}/.nvidia/* rw,
      owner @{HOME}/.nv/GLCache/ r,
      owner @{HOME}/.nv/GLCache/** rwk,
      @{HOME}/.Xauthority r,
    
      # For nautilus so you can browse dirs
      /usr/bin/nautilus rix,
    
      # To open transmission bit torrent client
      /usr/bin/transmission-gtk rPx,
    
      @{PROC}/[0-9]*/ r,
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/cpuinfo r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/*/maps r,
      @{PROC}/stat r,
      @{PROC}/meminfo r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      @{PROC}/*/oom_score_adj rw,
      @{PROC}/sys/kernel/shmmax r,
      @{PROC}/*/task/ r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      owner @{PROC}/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/status r,
       
      
      # Newer chromium needs these now
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
      /sys/devices/system/cpu/online r,
      /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
      /sys/bus/pci/devices/ r,
      
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
        
      owner @{HOME}/.pki/nssdb/* rwk, 
       
      # For themes
      /usr/share/misc/ r,
      /usr/share/misc/** r,
      /usr/share/glib-2.0/schemas/ r,
      /usr/share/glib-2.0/schemas/** r,
      /usr/share/themes/ r,
      /usr/share/themes/** r,
    
      # For timezone info
      /usr/share/zoneinfo/ r,
      /usr/share/zoneinfo/** r,
    
      /usr/share/X11/locale/ r,
      /usr/share/X11/locale/** r,
      /usr/share/X11/XErrorDB r,
    
      /tmp/* m,
    
      # All of these processes have child profiles below
      /bin/mkdir Cxr,
      /bin/which Cxr,
      /bin/readlink Cxr,
      /usr/bin/lsb_release Cxr,
      /usr/bin/xdg-settings Cxr,
      /usr/bin/dirname Cxr,
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java Cxr -> browser_openjdk,
      
       # Allow transitions to ourself and our sandbox
      /opt/google/chrome/chrome-sandbox rPx,
      /opt/google/chrome/*chrome ixr,  
      /opt/google/chrome/nacl_helper_bootstrap ixr,    
    
      
      profile /bin/mkdir {
    
      /bin/mkdir r,
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libselinux.so* mr,
      /lib/x86_64-linux-gnu/libc*.so mr,
      /lib/x86_64-linux-gnu/libdl*.so mr,
      /lib/x86_64-linux-gnu/ld*.so mr,
      /proc/filesystems r,
      /usr/lib/locale/locale-archive r,
      }
      
      profile /bin/which {
    
      /etc/ld.so.cache r,
      /bin/dash r,
      /bin/which r,
      /dev/null rw,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld-*.so mr,
      }
    
      profile /bin/readlink {
    
      /bin/readlink r,
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld*.so mr,
      /usr/lib/locale/locale-archive r,
      }
    
      profile /usr/bin/dirname {
    
      /etc/ld.so.cache r,
      /lib/x86_64-linux-gnu/libc-*.so mr,
      /lib/x86_64-linux-gnu/ld-*.so mr,
      /usr/bin/dirname r,
      /usr/lib/locale/locale-archive r,
      }
      
      profile /usr/bin/lsb_release {
    
        /etc/ld.so.cache r,
        /etc/lsb-release r,
        /etc/python2.7/sitecustomize.py r,
        /lib/x86_64-linux-gnu/ld-*.so r,
        /lib/x86_64-linux-gnu/libc-*.so mr,
        /lib/x86_64-linux-gnu/libcrypto.so.* mr,
        /lib/x86_64-linux-gnu/libdl-*.so mr,
        /lib/x86_64-linux-gnu/libgcc_s.so.* mr,
        /lib/x86_64-linux-gnu/libm-*.so mr,
        /lib/x86_64-linux-gnu/libpthread-*.so mr,
        /lib/x86_64-linux-gnu/libssl.so.* mr,
        /lib/x86_64-linux-gnu/libutil-*.so mr,
        /lib/x86_64-linux-gnu/libz.so.* mr,
        /proc/meminfo r,
        /usr/bin/lsb_release r,
        /usr/bin/python2.7 r,
        /usr/include/python2.7/pyconfig.h r,
        /usr/lib/locale/** r,
        /usr/lib/pymodules/python2.7/.path r,
        /usr/lib/python2.7/** r,
        /usr/local/lib/python2.7/*/ r,
        /usr/share/pyshared/* r,
    
      }
    
      
      profile /usr/bin/xdg-settings {
    
        /bin/dash r,
        /bin/grep rix,
        /bin/mkdir rCx,
        /bin/readlink rCx,
        /bin/sed rix,
        /bin/which rCx,
    
        /dev/null w,
        /etc/ld.so.cache r,
        /etc/locale.alias r,
        /home/*/.local/share/applications/google-chrome.desktop r,
        /home/*/.local/share/applications/mimeapps.list r,   
        /home/*/.local/share/applications/ r, 
        /proc/*/maps r,
        /proc/filesystems r,
    
        /usr/bin/basename rix,
        /usr/bin/cut rix,
        /usr/bin/gawk rix,
        /usr/bin/gconftool-2 rix,
        /usr/bin/xdg-mime rix,
        /usr/bin/xdg-settings r,
    
        /usr/lib/libsigsegv.so.* mr,
        /usr/lib/locale/** r,   
    
        /lib/x86_64-linux-gnu/libc-*.so mr, 
        /lib/x86_64-linux-gnu/ld-*.so mr, 
        /lib/x86_64-linux-gnu/libdl*.so mr,
        /lib/x86_64-linux-gnu/libdbus-1.so.* mr,
        /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
        /lib/x86_64-linux-gnu/libselinux.so* mr,
        /lib/x86_64-linux-gnu/libm-*.so mr,
        /lib/x86_64-linux-gnu/libpcre.so.* mr,
        /lib/x86_64-linux-gnu/libpthread-*.so mr,
        /lib/x86_64-linux-gnu/libresolv-2.15.so mr,
        /lib/x86_64-linux-gnu/librt-2.15.so mr,
        /lib/x86_64-linux-gnu/libz.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
        /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
        /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
        /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
        /usr/lib/x86_64-linux-gnu/libffi.so.* mr,
        /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
    
      }  
    
    }
    opt.google.chrome.chrome-sandbox (also place this in /etc/apparmor.d)

    Code:
    # Last Modified: Sat Sep 22 10:13:11 2012
    #include <tunables/global>
    
    /opt/google/chrome/chrome-sandbox {
      # Be fanatical since it is setuid root and don't use an abstraction
      /lib/libgcc_s.so* mr,
      /lib{,32,64}/libm-*.so* mr,
      /lib/@{multiarch}/libm-*.so* mr,
      /lib{,32,64}/libpthread-*.so* mr,
      /lib/@{multiarch}/libpthread-*.so* mr,
      /lib{,32,64}/libc-*.so* mr,
      /lib/@{multiarch}/libc-*.so* mr,
      /lib{,32,64}/libld-*.so* mr,
      /lib/@{multiarch}/libld-*.so* mr,
      /lib{,32,64}/ld-*.so* mr,
      /lib/@{multiarch}/ld-*.so* mr,
      /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
      /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
      /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
      /usr/lib/libstdc++.so* mr,
      /etc/ld.so.cache r,
    
      # Required for dropping into PID namespace. Keep in mind that until the
      # process drops this capability it can escape confinement, but once it
      # drops CAP_SYS_ADMIN we are ok.
      capability sys_admin,
    
      # All of these are for sanely dropping from root and chrooting
      capability chown,
      capability fsetid,
      capability setgid,
      capability setuid,
      capability dac_override,
      capability sys_chroot,
    
      # *Sigh*
      capability sys_ptrace,
    
      @{PROC}/ r,
      @{PROC}/[0-9]*/ r,
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/[0-9]*/oom_adj w,
      @{PROC}/[0-9]*/oom_score_adj w,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
    
      /opt/google/chrome/*chrome r,
      /opt/google/chrome/*chrome Px,
      /opt/google/chrome/chrome-sandbox r,
    
      owner /tmp/** rw,
    }

    Here is the "browser-libs-strict" abstraction. This abstraction includes all the libraries Chrome and Firefox need. Firefox uses a few Chrome doesn't, but most of them overlap. I feel this is safer than using <abstractions/base> which gives the browser access to *all* possible libs. Place this file in /etc/apparmor.d/abstractions

    Code:
      # vim:syntax=apparmor
    
      # These are the libs for Chrome.  I was very strict here.
    
      /lib/libnss*.so* mr,
      /lib/libiw.so.* mr,
      /lib/libproc-*.so mr,
    
      /lib/x86_64-linux-gnu/ld*.so mr,
      /lib/x86_64-linux-gnu/libbz2.so* mr,
      /lib/x86_64-linux-gnu/libc**.so mr,
      /lib/x86_64-linux-gnu/libcom_err.so* mr,
      /lib/x86_64-linux-gnu/libcrypto.so.* mr,
      /lib/x86_64-linux-gnu/libdbus*.so* mr,
      /lib/x86_64-linux-gnu/libdl**.so mr,
      /lib/x86_64-linux-gnu/libexpat.so* mr,
      /lib/x86_64-linux-gnu/libgcc_s.so* mr,
      /lib/x86_64-linux-gnu/libgcrypt.so* mr,
      /lib/x86_64-linux-gnu/libglib-*.so.* mr,
      /lib/x86_64-linux-gnu/libgpg-error.so* mr,
      /lib/x86_64-linux-gnu/libkeyutils.so* mr,
      /lib/x86_64-linux-gnu/libm*.so mr,
      /lib/x86_64-linux-gnu/libnsl-*.so mr,
      /lib/x86_64-linux-gnu/libpopt.so.* mr,
      /lib/x86_64-linux-gnu/libpci.so.* mr,
      /lib/x86_64-linux-gnu/libpcre.so* mr,
      /lib/x86_64-linux-gnu/libpng12.so* mr,
      /lib/x86_64-linux-gnu/libpthread*.so mr,
      /lib/x86_64-linux-gnu/libresolv*.so mr,
      /lib/x86_64-linux-gnu/librt-*.so mr,
      /lib/x86_64-linux-gnu/libselinux.so.* mr,
      /lib/x86_64-linux-gnu/libssl.so.* mr,
      /lib/x86_64-linux-gnu/libtinfo.so.* mr,
      /lib/x86_64-linux-gnu/libudev.so* mr,
      /lib/x86_64-linux-gnu/libutil-*.so mr,
      /lib/x86_64-linux-gnu/libuuid.so.* mr,
      /lib/x86_64-linux-gnu/libz.so* mr,
      /lib/x86_64-linux-gnu/libwrap.so* mr,
      /lib/x86_64-linux-gnu/libnss*.so* mr,
        
      /usr/lib/firefox-addons/plugins/ r,
      /usr/lib/xulrunner-addons/plugins/ r,
      /usr/lib/flashplugin-installer/libflashplayer.so mr,
      /usr/lib/gtk-2.0/2.10.0/menuproxies/libappmenu.so mr,
      /usr/lib/libdee*.so* mr,
      /usr/lib/libicudata.so.* mr,
      /usr/lib/libicui18n.so.* mr,
      /usr/lib/libicuuc.so.* mr,
      /usr/lib/liboverlay-scrollbar-0.2.so.* mr,
      /usr/lib/libGL.so* mr,
      /usr/lib/libsigsegv.so.* mr,
      /usr/lib/libtotem-plparser-mini.so.* mr,
      /usr/lib/libunity.so.* mr,
      /usr/lib/locale/locale-archive r,
      /usr/lib/mozilla/plugins/ r,
      /usr/lib/mozilla/plugins/*.so mr,
      /usr/lib/pymodules/python2.7/* r,
      /usr/lib/python2.7/config/* r,
      /usr/lib/tls/libnvidia-tls.so* mr,
      /usr/lib/libnvidia*.so* mr,
    
      #Firefox
    
      /usr/lib/gtk-3.0/3.0.0/menuproxies/libappmenu.so mr,
      /usr/lib/gtk-3.0/3.0.0/theming-engines/libunico.so mr,
      /usr/lib/libappindicator3.so.* mr,
      /usr/lib/libevent*.so.* mr,
      /usr/lib/libgnome-2.so.* mr,
      /usr/lib/libgnomecanvas-2.so.* mr,
      /usr/lib/libindicator3.so.* mr,
      /usr/lib/liblaunchpad-integration*.so.* mr,
      /usr/lib/libminiupnpc.so.* mr,
      /usr/lib/liboverlay-scrollbar3*.so.* mr,
    
      #Chrome specific
    
      /usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
      /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
      /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache r,
      /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader*.so mr,
      /usr/lib/x86_64-linux-gnu/gio/modules/ r,
      /usr/lib/x86_64-linux-gnu/gio/modules/* mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/*/engines/* mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/*/gtk.immodules r,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/im-ibus.so mr,
      /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so mr,
      /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
      /usr/lib/x86_64-linux-gnu/libICE.so.* mr,
      /usr/lib/x86_64-linux-gnu/libSM.so.* mr,
      /usr/lib/x86_64-linux-gnu/libX** mr,
      /usr/lib/x86_64-linux-gnu/libX*.so* r,
      /usr/lib/x86_64-linux-gnu/libX11.so** mr,
      /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,
      /usr/lib/x86_64-linux-gnu/libasound.so* mr,
      /usr/lib/x86_64-linux-gnu/libatk*.so* mr,
      /usr/lib/x86_64-linux-gnu/libavahi-client.so* mr,
      /usr/lib/x86_64-linux-gnu/libavahi-common.so* mr,
      /usr/lib/x86_64-linux-gnu/libcairo.so* mr,
      /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcups.so* mr,
      /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.* mr,
      /usr/lib/x86_64-linux-gnu/libdbus-glib*.so* mr,
      /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,
      /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,
      /usr/lib/x86_64-linux-gnu/libffi.so* mr,
      /usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
      /usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
      /usr/lib/x86_64-linux-gnu/libgconf*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgdk-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgdk_pixbuf*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgee.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgio*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgmodule*.so* mr,
      /usr/lib/x86_64-linux-gnu/libgnutls.so* mr,
      /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgtk-*.so* mr,
      /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,
      /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,
      /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,
      /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,
      /usr/lib/x86_64-linux-gnu/libibus-1.0.so.* mr,
      /usr/lib/x86_64-linux-gnu/libidn.so.* mr,
      /usr/lib/x86_64-linux-gnu/libjson-glib*.so* mr,
      /usr/lib/x86_64-linux-gnu/libk5crypto.so* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5.so* mr,
      /usr/lib/x86_64-linux-gnu/libkrb5support.so* mr,
      /usr/lib/x86_64-linux-gnu/liblber*.so* mr,
      /usr/lib/x86_64-linux-gnu/libldap_r*.so* mr,
      /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
      /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,
      /usr/lib/x86_64-linux-gnu/libnspr4.so mr,
      /usr/lib/x86_64-linux-gnu/libnss3.so mr,  
      /usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
      /usr/lib/x86_64-linux-gnu/libogg.so.* mr,
      /usr/lib/x86_64-linux-gnu/libp11-kit.so* mr,
      /usr/lib/x86_64-linux-gnu/libpango*.so* mr,
      /usr/lib/x86_64-linux-gnu/libpangocairo*.so.* mr,
      /usr/lib/x86_64-linux-gnu/libpixman*.so* mr,
      /usr/lib/x86_64-linux-gnu/libplc4.so mr,
      /usr/lib/x86_64-linux-gnu/libplds4.so mr,
      /usr/lib/x86_64-linux-gnu/libquvi.so.* mr,
      /usr/lib/x86_64-linux-gnu/libroken.so.* mr,
      /usr/lib/x86_64-linux-gnu/librtmp.so.* mr,
      /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libsmime3.so mr,
      /usr/lib/x86_64-linux-gnu/libsqlite3.so.* mr,
      /usr/lib/x86_64-linux-gnu/libssl*.so mr,
      /usr/lib/x86_64-linux-gnu/libstartup-notification-1.so.* mr,
      /usr/lib/x86_64-linux-gnu/libstdc** r,
      /usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
      /usr/lib/x86_64-linux-gnu/libstdc\+\+.so.* mr,
      /usr/lib/x86_64-linux-gnu/libtasn1.so* mr,
      /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
      /usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
      /usr/lib/x86_64-linux-gnu/libvorbisfile.so.* mr,
      /usr/lib/x86_64-linux-gnu/libwind.so.* mr,
      /usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb.so* mr,
      /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
      /usr/lib/x86_64-linux-gnu/nss/libfreebl*.so mr,
      /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so mr,
      /usr/lib/x86_64-linux-gnu/nss/libsoftokn*.so mr,
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/ r,
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules r,  
      /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango*.so mr,
      /usr/lib/x86_64-linux-gnu/librsvg*.so* mr,
      /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module*.so mr,  
      /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
      /usr/lib/x86_64-linux-gnu/libpulsecommon*.so mr,
      /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,
      /usr/lib/x86_64-linux-gnu/libjson.so* mr,
      /usr/lib/x86_64-linux-gnu/libcroco*.so* mr,
      /usr/lib/x86_64-linux-gnu/libsndfile.so* mr,
      /usr/lib/x86_64-linux-gnu/libasyncns.so* mr,
      /usr/lib/x86_64-linux-gnu/libFLAC.so* mr,
      /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,
      /usr/lib/x86_64-linux-gnu/libxcb-util.so* mr,
      /usr/lib/x86_64-linux-gnu/libX*.so* mr,  
      /usr/lib/x86_64-linux-gnu/libX11.so* mr,
    
      # Firefox specific
    
      /usr/lib/x86_64-linux-gnu/gconv/UTF-*.so mr,
      /usr/lib/x86_64-linux-gnu/gnome-vfs-2.0/modules/libfile.so r,
      /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache r,
      /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-ibus.so mr,
      /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libcanberra-gtk3-module.so mr,
      /usr/lib/x86_64-linux-gnu/libORBit-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libORBitCosNaming-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libart_lgpl_2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libavahi-glib.so.* mr,
      /usr/lib/x86_64-linux-gnu/libbonobo-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libbonobo-activation.so.* mr,
      /usr/lib/x86_64-linux-gnu/libbonoboui-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcairo-gobject.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcanberra-*/libcanberra-pulse.so mr,
      /usr/lib/x86_64-linux-gnu/libcanberra-gtk3.so.* mr,
      /usr/lib/x86_64-linux-gnu/libcurl.so.* mr,
      /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk3.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgailutil.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgnomeui-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libgnomevfs-2.so.* mr,
      /usr/lib/x86_64-linux-gnu/libnotify.so.* mr,
      /usr/lib/x86_64-linux-gnu/libstdc** mr,
      /usr/lib/x86_64-linux-gnu/pango/*/modules/pango*.so r,
    Finally, here is my improved IcedTea java plugin profile. NOTE: you must be using "IcedTea" and not the official Oracle Java for this to work. Also, you must be using Openjdk version 7. If you use version 6, you will have to modify the profile accordingly. This profile will work with either Firefox or Chrome. Place this file in /etc/apparmor.d/abstractions

    browser_openjdk

    Code:
    # vim:syntax=apparmor
    
      owner @{HOME}/.java/deployment/deployment.properties k,  
    
      /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/ r,
      /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/IcedTeaPlugin.so mr,  
        
      /usr/lib/jvm/java-7-openjdk-*/jre/bin/java rCx -> browser_openjdk,
    
      profile browser_openjdk {
        #include <abstractions/browser-libs-strict>
        #include <abstractions/private-files-strict>
    
        network inet stream,
        network inet dgram,
        network inet6 stream,
    
        /usr/lib/jvm/java-7-openjdk-*/jre/lib/ r,
        /usr/lib/jvm/java-7-openjdk-*/jre/lib/** r,
        /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*.so mr,
        /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*/*.so mr,
            
        /usr/lib/jvm/java-7-openjdk-*/jre/bin/java r,
        /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/jvm.cfg-default r,
    
        /usr/lib/*-linux-gnu/jni/libatk-wrapper.so.* mr,
        /usr/lib/*-linux-gnu/gconv/SJIS.so mr,
    
        deny /usr/bin/gconftool-2 x,
        deny /anon_hugepage//deleted r,
    
        /etc/fonts/fonts.conf r,
        /etc/fonts/conf.d/ r,
        /etc/fonts/conf.d/** r,
        /etc/fonts/conf.avail/ r,
        /etc/fonts/conf.avail/** r,
        /etc/hosts r,
        /etc/host.conf r,
        /etc/ssl/certs/java/cacerts r,
        /etc/java-7-openjdk/ r,
        /etc/java-7-openjdk/** r,    
        /etc/locale.alias r,
        /etc/localtime r,
        /etc/lsb-release r,
        /etc/ld.so.cache r,    
        /etc/nsswitch.conf r,
        /etc/resolv.conf r,
        /etc/passwd r,
        /etc/timezone r,
    
        /dev/{,u}random r,
        
    
        /home/ r,
        /home/*/ r,
        /home/*/.cache/dconf/user rw,
        /home/*/.config/dconf/user r,
        /home/*/.config/ibus/bus/ w,
        /home/*/.fontconfig/ r,
        /home/*/.fontconfig/** r,
        /home/*/.fonts/ r,
        /home/*/.fonts/** r,
        /home/*/.java/fonts/ r,
        /home/*/.java/fonts/** rw,
        /home/*/.mozilla/firefox/profiles.ini r,
        /home/*/.icedtea/ r,
        /home/*/.icedtea/** r,
        /home/*/.icedtea/cache/** rwk,
        /home/*/.Xauthority r,
    
        /opt/google/chrome/ r,
    
        /proc/[0-9]*/ r,
        /proc/[0-9]*/cmdline r,
        /proc/filesystems r,
        /proc/stat r,
        /proc/[0-9]*/coredump_filter rw,
        /proc/cpuinfo r,
        /proc/[0-9]*/maps r,
        /proc/[0-9]*/net/if_inet6 r,
        /proc/[0-9]*/net/ipv6_route r,
        /proc/meminfo r,
    
        /usr/share/glib-2.0/schemas/gschemas.compiled r,
    
        /usr/share/icedtea-web/ r,
        /usr/share/icedtea-web/** r,
        /usr/share/java/ r,
        /usr/share/java/** r,
    
        # For fonts, icons, themes, etc.  No abstractions here
        /usr/share/fonts/ r,
        /usr/share/fonts/** r,
        /usr/share/texmf/fonts/ r,
        /usr/share/texmf/fonts/** r,
        /usr/share/icons/ r,
        /usr/share/icons/** r,
        /usr/share/themes/ r,
        /usr/share/themes/** r,
    
        /usr/share/X11/locale/locale.* r,
        /usr/share/X11/locale/*.dir r,
        /usr/share/X11/locale/en_US.UTF-8/ r,
        /usr/share/X11/locale/en_US.UTF-8/** r,
    
        /usr/share/javazi r,
        /usr/share/javazi/** r,
        /usr/share/zoneinfo/ r,
        /usr/share/zoneinfo/** r,
    
       # /tmp stuff.  Again no abstractions
        /tmp/ r,
        /tmp/*/ rw,
        /tmp/*/** rw,
        /var/tmp/ r,
        /tmp/hsperfdata_*/ rw,
        /tmp/hsperfdata_*/** rw,
        
        /tmp/icedteaplugin-*/* r,
        /tmp/icedteaplugin-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
        /tmp/*/netx/locks/netx_running rwk,
        
        /sys/devices/system/cpu/ r,
        /sys/devices/system/cpu/online r,
    
        /var/cache/fontconfig/ rw,
        /var/cache/fontconfig/** rw,
    
        /var/lib/dbus/machine-id r,
    
        /usr/lib/jvm/java-7-openjdk-*/bin/java ix,    
    
    }
    That's it. So you have 4 files:

    opt.google.chrome.chrome ---> /etc/apparmor.d
    opt.google.chrome.chrome-sandbox ----> /etc/apparmor.d
    browser-libs-strict ---> /etc/apparmor.d/abstractions
    browser_openjdk ---> /etc/apparmor.d/abstractions

    Try them out and let me know how they work. At the very least use the OpenJDK profile. You can place it in the #include section of the abstractions in your own browser profiles. (You will also need the "browser-libs-strict" abstraction for the openjdk profile to work).
     
    Last edited: Sep 24, 2012
  19. tlu

    tlu Guest

    Well, I had added rules via aa-logprof that should have covered KDE. But anyway, as mentioned in post #161, I ceated new profiles and they work as they should.
     
  20. tlu

    tlu Guest

    No worry :D I noticed that the syslog entries regarding null profiles were several hours old. After rebooting my system they are gone. So this might be an AppArmor bug that old null profiles are not always properly cleaned up.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If you delete the files or save new versions it might leave a backup file int he folder. You can view it with ctrl + H. This can mess apparmor up but it's not an apparmor bug, it's probably gedit or whatever text editor you've used.

    ------

    My profile is somewhat specific to me as I only added the libs that I use. I don't have cupsd installed and I don't use certain things. We also use different desktop environments so different libs are required.

    Just a tip:

    aa-complain/enforce (Whichever)
    open program
    aa-logprof
    aa-complain/enforce
    open program

    etc

    Reloading in between is what helps.

    Why not just replace the 7's with *'s. That way when it hits Java 8 you won't have a ton of old rules.
     
  22. tlu

    tlu Guest

    Sure, but - as mentioned - I didn't use it unchanged but added numerous rules via aa-logprof.

    That's what I'm doing. But it doesn't always help. Example: I got no sound in Chrome from videos on, e.g., youtube. Neither aa-logprof nor /var/log/messages showed any errors. After a reboot things looked different: Now aa-logprof showed that the pulseaudio profile required read access to /home/*/.Xauthority. Again, only after the reboot (I had added /usr/bin/pulseaudio Px, to my Chrome profile). This is an example why it's not always that easy.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ah, I see. I've had issues like that before where only a reboot solved it. Such is life I suppose.

    Still a hell of a lot easier than SELinux haha
     
  24. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Too lazy.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Eventually this is the approach I've adopted:

    • aa-genprof <program name>
    • open program
    • Scan and add suggestions
    • edit profile, finish (program is now enforced with a very basic profile)
    • sudo apparmor_parser -r /etc/apparmor.d/<profile name> (reloads profile)
    • open program (usually won't open yet because profile is incomplete)
    • aa-logprof and add suggestions
    • Finish
    • repeat steps 4-8

    After a few repeats of aa-logprof I then check the syslogs for "Apparmor Denied" path names that might need to be addressed. After reading about tlu rebooting and you confirming this, I will probably have to do the same.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.