AppArmor profiles for Ubuntu based distros

Discussion in 'all things UNIX' started by shuverisan, Jul 13, 2014.

Thread Status:
Not open for further replies.
  1. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Wanted to give this its own thread instead of continuing to bump one not as relevant.

    Recently I've been putting together some Apparmor profiles for Ubuntu based distros, just some default and useful internet facing programs. They're completely custom made and much more restrictive than the default profiles from the repositories.

    Here's the catch though: These are base profiles for you to easily build on. These are NOT drop-in solutions for 100% functionality right from the start. They are a 95% finished product and you just need to fill in blanks for personal folder access, your hardware and your user/profile/account.

    These profiles were made in Mint 17 with Cinnamon though it's only a small amount of changes to 'port' over to Gnome, Unity or XFCE and Debian based systems (not tried with other desktop environments or Linux variants).

    For a list of what works in each profile and what does not, see the README file. It also contains the directions and commands to complete them.

    http://thesimplecomputer.info/apparmor/
     
    shuverisan, Jul 13, 2014
    #1
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Thanks again for your work, I'll be working through these as soon as I can.
     
    deBoetie, Jul 14, 2014
    #2
  3. _Sim_

    _Sim_ Registered Member

    Joined:
    Mar 2, 2014
    Posts:
    15
    Here are my self-written apparmor profiles:

    vlc
    Code:
    @{ARCH}=x86_64-linux-gnu
@{HOME}=/home/sim/

/usr/bin/vlc {

    owner @{HOME}                                                      r,
    owner @{HOME}/Downloads/{,**}                                      r,
    owner @{HOME}/.config/vlc/vlcrc                                    r,
    owner @{HOME}/.config/Trolltech.conf                               rwk,
    owner @{HOME}/.config/user-dirs.dirs                               r,
    owner @{HOME}/.config/ibus/bus/                                    r,
    owner @{HOME}/.config/vlc/vlc*                                     rwk,
    owner @{HOME}/.config/user-dirs.dirs                               r,
    owner @{HOME}/.local/share/vlc/ml.xspf                             rwk,
    owner @{HOME}/.local/share/recently-used.xbel                      r,
    owner @{HOME}/.ICEauthority                                        r,
    owner @{HOME}/.thumbnails/**.png                                   r,

    /var/cache/fontconfig/*                                            r,
    /var/lib/dbus/machine-id                                           r,

    /usr/local/share/fonts/                                            r,

    /usr/share/X11/locale/locale.{dir,alias}                           r,
    /usr/share/X11/locale/*/XLC_LOCALE                                 r,
    /usr/share/X11/locale/compose.dir                                  r,
    /usr/share/X11/locale/*/Compose                                    r,
    /usr/share/{fonts,icons,mime}/**                                   r,
    /usr/share/themes/Default/gtk-[0-9]*-key/gtkrc                     r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/gtkrc                        r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/widgets/panel.rc             r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/apps/*.rc                    r,
    /usr/share/gvfs/remote-volume-monitors/{,gdu.monitor,afc.monitor,gphoto2.monitor} r,
    /usr/share/{pixmaps,icons}/                                        r,

    /usr/lib/                                                          r,
    /usr/lib/@{ARCH}/                                                  r,
    /usr/lib/@{ARCH}/*.so{,.[0-9]*}                                    rm,
    /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}                      r,
    /usr/lib/@{ARCH}/{gconv,gvfs}/*.so                                 rm,
    /usr/lib/@{ARCH}/qt4/plugins/{inputmethods,imageformats}/          r,
    /usr/lib/@{ARCH}/qt4/plugins/{inputmethods,imageformats}/*.so      rm,
    /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/                      r,
    /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/libpango1.0-0.modules r,
    /usr/lib/@{ARCH}/pango/[0-9]*/modules/*.so                         rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/gtk.immodules                   r,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/{immodules,engines}/*.so        rm,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders.cache            r,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders/*.so             rm,
    /usr/lib/@{ARCH}/gio/modules/{,giomodule.cache}                    r,
    /usr/lib/@{ARCH}/gio/modules/*.so                                  rm,
    /usr/lib/@{ARCH}/mesa/*.so.[0-9]*                                  rm,
    /usr/lib/vlc/**                                                    r,
    /usr/lib/vlc/plugins/plugins.dat                                   r,
    /usr/lib/vlc/plugins/plugins.dat.[0-9]*                            rwk,
    /usr/lib/vlc/plugins/*/*.so                                        rm,
    /usr/lib/*.so{,.[0-9]*}                                            rm,
    /usr/lib/locale/locale-archive                                     r,

    /sys/devices/system/cpu/online                                     r,

    /proc/{meminfo,stat,filesystems}                                   r,
    /proc/[0-9]*/{maps,auxv,cmdline}                                   r,

    /lib/                                                              r,
    /lib/@{ARCH}/*.so{,.[0-9]*}                                        rm,

    /etc/{ld.so.cache,localtime,locale.alias,nsswitch.conf,passwd}     r,
    /etc/fonts/{fonts.conf,conf.d/}                                    r,
    /etc/fonts/conf.avail/*.conf                                       r,
    /etc/fonts/conf.d/99pdftoopvp.conf                                 r,
    /etc/xdg/Trolltech.conf                                            rwk,
    /etc/pulse/client.conf                                             r,

    /run/gdm/auth-for-*-*/database                                     r,
    /run/shm/                                                          r,
    /run/shm/pulse-shm-[0-9]*                                          rwk,
    /run/resolvconf/resolv.conf                                        r,

    /dev/                                                              r,
    /dev/urandom                                                       r,

    deny /home/.ecryptfs/**                                                             rw,
    deny @{HOME}/.config/ibus/bus/                                                      w,
    deny @{HOME}/.{screenrc,gtk-bookmarks,bash_history,dingrc,lesshst,profile,esd_auth} rw,
    deny @{HOME}/.{disablecompiz,bashrc}                                                rw,
    deny @{HOME}/.{pulse-cookie,xsession-errors,bash_logout,face,pam_environment}       rw,
    deny @{HOME}/.local/share/recently-used.xbel                                        rw,
    deny @{HOME}/Downloads/**                                                           w,
    deny /usr/bin/xdg-screensaver                                                       rwx,

}
    dhclient
    Code:
    @{ARCH}=x86_64-linux-gnu

#include <tunables/global>

/sbin/dhclient {

    #include <abstractions/base>

    capability net_bind_service,
    capability net_raw,

    network raw,
    network inet dgram,

    @{PROC}/[0-9]*/net/{,**}                                  r,

    /sbin/dhclient                                            rm,

    /etc/services                                             r,
    /etc/{nsswitch,dhclient}.conf                             r,
    /etc/dhcp/{,**}                                           r,

    /var/lib/dhcp{,3}/dhclient*                               rwl,
    /{,var/}run/dhclient*.pid                                 rwl,
    /{,var/}run/dhclient*.lease*                              rwl,
    /{,var/}run/nm*conf                                       r,
    /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid rwl,
    /{,var/}run/connman/dhclient*.pid                         rwl,
    /{,var/}run/connman/dhclient*.leases                      rwl,

    /usr/share/synce-hal/dhclient.conf                        r,
    /usr/lib/NetworkManager/nm-dhcp-client.action             Cx,

    profile /usr/lib/NetworkManager/nm-dhcp-client.action {

        /usr/lib/sse2/                                                    r,
        /usr/lib/@{ARCH}/{,sse2/,i686/}/                                  r,
        /usr/lib/@{ARCH}/lib{gobject,ffi}*.so*                            rm,
        /usr/lib/NetworkManager/nm-dhcp-client.action                     r,

        /lib/                                                             r,
        /lib/@{ARCH}/lib{dbus,glib,pthread,c,rt,pcre,pthread}*.so*        rm,
        /lib/@{ARCH}/ld-2.15.so                                           rm,

        /etc/ld.so.cache                                                  r,

    }

    deny network inet6 dgram,

}
    thunderbird
    Code:
    @{ARCH}=x86_64-linux-gnu
@{HOME}=/home/sim/
@{THUNDERBIRD}=@{HOME}/.thunderbird/

/usr/lib/thunderbird/thunderbird {

    network inet stream,
    network inet dgram,

    owner @{THUNDERBIRD}/profiles.ini                                      r,
    owner @{THUNDERBIRD}/**                                                rwk,

    owner @{HOME}/                                                         r,
    owner @{HOME}/Downloads/                                               r,
    owner @{HOME}/Downloads/**                                             rw,
    owner @{HOME}/.cache/thunderbird/**                                    rwk,
    owner @{HOME}/{.ICEauthority,.xsession-errors}                         r,
    owner @{HOME}/.cache/dconf/user                                        rwk,
    owner @{HOME}/.config/dconf/user                                       r,
    owner @{HOME}/.config/user-dirs.dirs                                   r,
    owner @{HOME}/.local/share/applications/**                             rwk,
    owner @{HOME}/.local/share/gvfs-metadata/home*                         r,
    owner @{HOME}/.thumbnails/normal/*.png                                 r,
    owner @{HOME}/.gnupg/{,**}                                             r,

    /usr/lib/*.so.*                                                        rm,
    /usr/lib/thunderbird/thunderbird                                       rk,
    /usr/lib/thunderbird{,-addons}/**                                      r,
    /usr/lib/thunderbird{,/*}/*.so                                         rm,
    /usr/lib/mozilla/extensions/{,**}                                      r,
    /usr/lib/mozilla/plugins/{,**}                                         r,
    /usr/lib/mozilla/plugins/*.so                                          rm,
    /usr/lib/locale/locale-archive                                         r,
    /usr/lib/xul-ext/enigmail/{,**}                                        r,
    /usr/lib/xul-ext/enigmail/platform/Linux_x86{,_64}-gcc3/lib/*.so       rm,

    /usr/lib/@{ARCH}/dri/*.so                                              rm,
    /usr/lib/@{ARCH}/pango/[0-9]*/modules/pango-basic-fc.so                rm,
    /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/{,libpango[0-9]*.modules} r,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/immodules/im-ibus.so                rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/engines/lib*.so                     rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/gtk.immodules                       r,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders.cache                r,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders/lib*.so              rm,
    /usr/lib/@{ARCH}/lib*.so.*                                             rm,
    /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}                          r,
    /usr/lib/@{ARCH}/mesa/libGL.so.[0-9]*                                  rm,
    /usr/lib/@{ARCH}/gconv/UTF-16.so                                       rm,
    /usr/lib/@{ARCH}/gio/modules/{,giomodule.cache}                        r,
    /usr/lib/@{ARCH}/gio/modules/*.so                                      rm,
    /usr/lib/@{ARCH}/gvfs/*.so                                             rm,
    /usr/lib/@{ARCH}/libcanberra-[0-9]*/libcanberra-{alsa,pulse}.so        rm,
    /usr/lib/@{ARCH}/libpulsecommon-[0-9]*.so                              rm,

    /usr/share/                                                            r,
    /usr/share/themes/{Default,Trisquel}/gtk-[0-9]*/gtkrc                  r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/{apps,widgets}/*.rc              r,
    /usr/share/{fonts,icons,mime}/{,**}                                    r,
    /usr/share/{pixmaps,applications}/                                     r,
    /usr/share/hunspell/{,**}                                              r,
    /usr/share/applications/*{.cache,.desktop}                             r,
    /usr/share/gnome/applications/{,mimeapps.list,mimeinfo.cache}          r,
    /usr/share/glib-[0-9]*/schemas/gschemas.compiled                       r,
    /usr/share/X11/locale/locale.{dir,alias}                               r,
    /usr/share/X11/locale/{C,en_US.UTF-8}/XLC_LOCALE                       r,
    /usr/share/locale-langpack/en_*/LC_MESSAGES/*.mo                       r,
    /usr/local/share/fonts/                                                r,
    /usr/bin/gpg                                                           Cx,

    /run/shm/                                                              r,
    /run/gdm/auth-for-sim-*/database                                       r,
    /run/resolvconf/resolv.conf                                            r,

    /etc/{nsswitch.conf,passwd,hosts,host.conf,locale.alias,localtime}     r,
    /etc/fonts/fonts.conf                                                  r,
    /etc/fonts/conf.{d,avail}/{,*.conf}                                    r,
    /etc/thunderbird/syspref.js                                            r,
    /etc/gnome-vfs-2.0/modules/{,*.conf}                                   r,
    /etc/gnome/defaults.list                                               r,
    /etc/{mime.types,mailcap,gai.conf}                                     r,
    /etc/xul-ext/enigmail.js                                               r,
    /etc/ld.so.cache                                                       rm,

    /var/cache/fontconfig/*                                                r,
    /var/lib/dbus/machine-id                                               r,
    /var/tmp/                                                              r,
    /var/tmp/*                                                             rwk,

    /lib/{,@{ARCH}}/lib*.so*                                               rm,
    /lib/libnss_mdns4*.so*                                                 rm,

    /proc/[0-9]*/{mountinfo,stat,mounts,maps}                              r,
    /proc/[0-9]*/task/[0-9]*/stat                                          r,
    /proc/{cpuinfo,stat,meminfo,filesystems}                               r,

    /tmp/{,**}                                                             r,
    owner /tmp/**                                                          w,

    /dev/dri/card0                                                         r,
    /dev/urandom                                                           r,
    /dev/null                                                              rw,

    /sys/devices/system/cpu/{,present,online}                              r,

    /bin/dash                                                              Cx,

    profile /bin/dash {

    /lib/@{ARCH}/                                                      r,
        /lib/@{ARCH}/libc-2.15.so                                          rm,

    /usr/lib/@{ARCH}/{,sse2/}                                          r,
        /usr/lib/@{ARCH}/i686/{,cmov/,sse2/}                               r,

    /etc/ld.so.cache                                                   r,

    }

    profile /usr/bin/gpg {

    network inet stream,
        network inet dgram,

    owner @{HOME}/.gnupg/{secring,trustdb,pubring}.gpg.lock rwkl,
        owner @{HOME}/.gnupg/**                                 rwk,
        owner @{HOME}/Downloads/*.txt                           r,

    /usr/bin/gpg                                            r,
        /usr/lib/gnupg/gpgkeys_*                                ix,
        /usr/lib/sse2/                                          r,
        /usr/lib/locale/locale-archive                          r,
        /usr/lib/@{ARCH}/{,sse2/}                               r,
        /usr/lib/@{ARCH}/i686/{,cmov/,sse2/}                    r,
        /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}           r,

    /lib/                                                   r,
        /lib/@{ARCH}/*.so*                                      rm,
        /lib/*.so.[0-9]*                                        rm,

    /etc/{ld.so.cache,locale.alias,localtime,hosts}         r,
        /etc/{nsswitch,gai,host}.conf                           r,

    /run/resolvconf/resolv.conf                             r,

    /proc/[0-9]*/maps                                       r,

    /dev/urandom                                            r,

    /tmp/*                                                  r,

    # Deny
        deny /home/.ecryptfs/**                                 rw,
        deny network inet6 stream,
        deny network inet6 dgram,

    }

    # Deny
    deny @{HOME}/{.pulse-cookie,.gtk-bookmarks}   rwk,
    deny @{HOME}/{.screenrc,.bashrc,.gksu.lock}   rwk,
    deny @{HOME}/{.bash_logout,error_msg,.face}   rwk,
    deny @{HOME}/.cache/event-sound-cache.*       rwk,
    deny @{HOME}/.config/ibus/bus/                w,
    deny @{HOME}/.local/share/recently-used.xbel* rw,
    deny /home/.ecryptfs/**                       rw,
    deny /etc/fstab                               r,
    deny /etc/sound/events/*                      r,
    deny /etc/pulse/client.conf                   r,
    deny /run/shm/pulse-shm-*                     rwk,
    deny /dev/dri/card0                           w,
    deny /usr/share/sounds/**                     rw,
    deny /usr/share/gvfs/remote-volume-monitors/  r,
    deny network inet6 stream,
    deny network inet6 dgram,

}
    jitsi
    Code:
    @{ARCH}=x86_64-linux-gnu
@{HOME}=/home/sim/

/usr/bin/jitsi {

    /dev/tty                                          r,

    /bin/{sed,which,uname}                            Cx,

    /usr/bin/jitsi                                    r,
    /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java    Cx,
    /usr/lib/locale/locale-archive                    r,
    /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}     r,

    /lib/@{ARCH}/*.so{,.[1-9]*}                       rm,

    /etc/{ld.so.cache,locale.alias}                   r,

    /proc/meminfo                                     r,

    profile /bin/sed {

        /bin/sed                                      r,

        /lib/                                         r,
        /lib/@{ARCH}/libselinux.so.1                  rm,
        /lib/@{ARCH}/{ld,libc,libdl}-*.so             rm,

        /usr/lib/sse2/                                r,
        /usr/lib/locale/locale-archive                r,
        /usr/lib/@{ARCH}/                             r,
        /usr/lib/@{ARCH}/{sse2,i686}/                 r,
        /usr/lib/@{ARCH}/i686/{cmov,sse2}/            r,
        /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache} r,

        /etc/{ld.so.cache,locale.alias}               r,

        /proc/filesystems                             r,

    }

    profile /bin/which {

        /usr/lib/@{ARCH}/i686/{cmov,sse2}/            r,

        /lib/@{ARCH}/                                 r,
        /lib/@{ARCH}/{libc,ld}-*.so                   mr,

        /etc/ld.so.cache                              r,

        /bin/{dash,which}                             r,

    }

    profile /bin/uname {

        /bin/uname                                    r,

        /usr/lib/@{ARCH}/{sse2,i686}/                 r,
        /usr/lib/@{ARCH}/i686/{cmov,sse2}/            r,
        /usr/lib/locale/locale-archive                r,

        /lib/@{ARCH}/                                 r,
        /lib/@{ARCH}/{libc,ld}-*.so                   rm,

        /etc/{ld.so.cache,locale.alias}               r,

    }

    profile /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java {

        network inet stream,
        network inet dgram,

        # jitsi directory
        owner @{HOME}/.jitsi/                                                     rw,
        owner @{HOME}/.{jitsi,java}/**                                            rwk,

    owner @{HOME}/                                                            r,

    /etc/java-[0-9]-openjdk/**                                                r,
        /etc/{passwd,nsswitch.conf,timezone,ld.so.cache}                          r,
        /etc/{hosts,host.conf,lsb-release,locale.alias,localtime}                 r,
        /etc/fonts/**                                                             r,
        /etc/ssl/certs/java/cacerts                                               r,
        /etc/gnome-vfs-2.0/modules/                                               r,
        /etc/gnome-vfs-2.0/modules/*-modules.conf                                 r,

    /usr/local/share/fonts/                                                   r,

    /usr/lib/@{ARCH}/pango/[0-9]*/modules/pango-basic-fc.so                   rm,
        /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/libpango[0-9]*.modules       r,
        /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/{immodules,engines}/*.so               rm,
        /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/gtk.immodules                          r,
        /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/{loaders.cache,gtk.immodules}   r,
        /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/                             r,
        /usr/lib/@{ARCH}/{,jni/}*.so.[0-9]*                                       rm,
        /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}                             r,
        /usr/lib/@{ARCH}/gio/modules/{,giomodule.cache}                           r,
        /usr/lib/@{ARCH}/gio/modules/*.so                                         rm,
        /usr/lib/@{ARCH}/{,gvfs/,nss/}*.so                                        rm,
        /usr/lib/jvm/java-7-openjdk-amd64/jre/**                                  r,
        /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/{,server/,jli/,xawt/}*.so rm,
        /usr/lib/locale/locale-archive                                            r,

    /usr/share/{icons,fonts,jitsi,javazi}/**                  r,
        /usr/share/java/java-atk-wrapper.jar                      r,
        /usr/share/themes/Default/gtk-[0-9]*-key/gtkrc            r,
        /usr/share/themes/Trisquel/gtk-[0-9]*/gtkrc               r,
        /usr/share/themes/Trisquel/gtk-[0-9]*/{apps,widgets}/*.rc r,
        /usr/share/mime/*                                         r,
        /usr/share/{pixmaps,icons}/                               r,
        /usr/share/hunspell/*                                     r,
        /usr/share/X11/locale/**                                  r,
        /usr/share/gvfs/remote-volume-monitors/{,*.monitor}       r,
        /usr/share/locale-langpack/en_*/LC_MESSAGES/*.mo          r,

    /var/cache/fontconfig/**                                  r,
        /var/lib/dbus/machine-id                                  r,
        /var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType/         r,
        /var/tmp/                                                 r,

    /sys/devices/system/cpu/{,online}                         r,
        /run/gdm/auth-for-sim-*/database                          r,
        /run/resolvconf/resolv.conf                               r,
        /proc/[0-9]*/{auxv,cmdline,coredump_filter,maps}          r,
        /proc/{stat,meminfo,filesystems}                          r,
        /tmp/                                                     r,
        owner /tmp/**                                             rw,
        /lib/@{ARCH}/*.so{,.[0-9]*}                               rm,
        /lib/*.so.[0-9]*                                          rm,
        /dev/{random,urandom}                                     r,

    deny network inet6                                        stream,
        deny /anon_hugepage//deleted                              r,
        deny /proc/[0-9]*/net/ipv6_route                          r,
        deny /proc/[0-9]*/net/if_inet6                            r,
        deny /proc/[0-9]*/coredump_filter                         w,
        deny @{HOME}/.config/ibus/bus/                            rw,
        deny /home/.ecryptfs/**                                   rw,
        deny /tmp/**                                              m,

    }

    # Deny
    deny /dev/tty w,

}
    abrowser
    Code:
    @{HOME}=/home/sim/
@{ARCH}=x86_64-linux-gnu

/usr/lib/abrowser/abrowser {

    network inet stream,
    network inet dgram,

    /etc/{timezone,locale.alias,nsswitch.conf,passwd,host.conf,hosts}               r,
    /etc/{localtime,mime.types,mailcap}                                             r,
    /etc/python[0-9]*/sitecustomize.py                                              r,
    /etc/xul-ext/ubufox.js                                                          r,
    /etc/ld.so.cache                                                                rm,
    /etc/fonts/{fonts,conf.avail/*}.conf                                            r,
    /etc/fonts/conf.d/{,99pdftoopvp.conf}                                           r,
    /etc/gnome-vfs-[0-9]*/modules/{,default-modules.conf,extra-modules.conf}        r,
    /etc/gnome/defaults.list                                                        r,
    /etc/passwd                                                                     rm,
    /etc/abrowser/syspref.js                                                        r,

    /usr/lib/python2.7/dist-packages/glib/_glib.so                                  rm,
    /usr/lib/{mozilla,abrowser-addons}/plugins/                                     r,
    /usr/lib/abrowser/{,browser/}omni.ja                                            rm,
    /usr/lib/abrowser/abrowser                                                      ix,
    /usr/lib/mozilla/plugins/*-plugin.so                                            rm,
    /usr/lib/locale/locale-archive                                                  rm,
    /usr/lib/@{ARCH}/lib*.so*                                                       rm,
    /usr/lib/@{ARCH}/mesa/libGL.so.[0-9]*                                           rm,
    /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}                                   rm,
    /usr/lib/@{ARCH}/gconv/UTF-[0-9]*.so                                            rm,
    /usr/lib/@{ARCH}/dri/*.so                                                       rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/engines/lib*.so                              rm,
    /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/{,libpango1.0-0.modules}           r,
    /usr/lib/@{ARCH}/pango/[0-9]*/modules.so                                        rm,
    /usr/lib/@{ARCH}/pango/[0-9]*/modules/*.so                                      rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/gtk.immodules                                r,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/immodules/im-ibus.so                         rm,
    /usr/lib/@{ARCH}/gio/modules/lib*.so                                            rm,
    /usr/lib/@{ARCH}/gio/modules/{,giomodule.cache}                                 r,
    /usr/lib/@{ARCH}/gvfs/libgvfscommon.so                                          rm,
    /usr/lib/@{ARCH}/libcanberra-[0-9]*/libcanberra-pulse.so                        rm,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders.cache                         r,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders/libpixbufloader-{svg,png}.so  rm,

    /usr/lib/abrowser/{,components/}*.so                     rm,
    /usr/lib/abrowser/**                                     r,
    /usr/lib/abrowser/browser/components/libbrowsercomps.so  rm,
    /usr/lib/abrowser-addons/**                              r,
    /usr/lib/abrowser-addons/extensions/*.xpi                rm,
    /usr/lib/locale/locale-archive                           r,

    /usr/share/X11/locale/locale.{dir,alias}                 r,
    /usr/share/X11/locale/{C,en_US.UTF-8}/XLC_LOCALE         r,
    /usr/share/locale-langpack/**                            r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/gtkrc              r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/apps/*.rc          r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/widgets/panel.rc   r,
    /usr/share/themes/Default/gtk-[0-9]*-key/gtkrc           r,
    /usr/share/{fonts,icons,mime}/{,**}                      rm,
    /usr/share/{,icons/,pixmaps/,hyphen/}                    r,
    /usr/share/icons/DMZ-White/cursors/xterm                 r,
    /usr/share/mozilla/extensions/{,*/}                      r,
    /usr/share/xul-ext/ubufox/{,**}                          r,
    /usr/share/gvfs/remote-volume-monitors/{,*.monitor}      r,
    /usr/share/gnome/applications/mime{apps.list,info.cache} r,
    /usr/share/applications/evince.desktop                   r,
    /usr/share/glib-2.0/schemas/gschemas.compiled            rm,
    /usr/share/applications/{*.desktop,mimeinfo.cache}       r,
    /usr/share/libthai/thbrk.tri                             r,
    /usr/share/{mozilla,hunspell}/                           r,
    /usr/share/hunspell/*                                    r,
    /usr/share/zoneinfo/{,**}                                r,
    /usr/share/hyphen/*.dic                                  r,

    /tmp/{,orbit-sim/}                                    r,
    owner /tmp/**                                         w,
    owner /tmp/*.{part,pdf,xpi}                           r,

    /var/tmp/                                             r,
    /var/tmp/*                                            rwk,
    /var/lib/dbus/machine-id                              r,
    /var/cache/fontconfig/*.cache-3                       rm,

    /sys/devices/system/cpu/{present,online}              r,

    /lib/@{ARCH}/lib*.so*                                 rm,
    /lib/libnss_mdns4{,_minimal}.so.2                     rm,

    owner @{HOME}/                                        r,
    owner @{HOME}/Downloads/                              r,
    owner @{HOME}/Downloads/**                            rw,
    owner @{HOME}/.mozilla/abrowser/**                    rwkm,
    owner @{HOME}/.config/user-dirs.dirs                  r,
    owner @{HOME}/.cache/mozilla/abrowser/**              rwkm,
    owner @{HOME}/{.ICEauthority,.gtk-bookmarks}          r,
    owner @{HOME}/.local/share/recently-used.xbel*        rw,
    owner @{HOME}/.local/share/applications/mimeapps.list r,
    owner @{HOME}/.local/share/recently-used.xbel         r,
    owner @{HOME}/.thumbnails/**                          r,

    /proc/[0-9]*/{stat,maps,mountinfo,fd/}                r,
    /proc/{cpuinfo,stat,filesystems,meminfo}              r,
    /proc/[0-9]*/task/[0-9]*/stat                         r,

    /dev/null                                             rw,
    /dev/dri/card[0-9]                                    rw,
    /dev/urandom                                          r,

    /run/gdm/auth-for-sim-*/database                      r,
    /run/resolvconf/resolv.conf                           r,
    /run/shm/                                             r,

    /bin/ps                                               Cx,

    profile /bin/ps {

    /bin/ps                                           r,

    /dev/tty                                          r,

    /etc/ld.so.cache                                  r,

    /lib/libproc-*.so                                 rm,
        /lib/@{ARCH}/{ld,libc}-*.so                       rm,

    /sys/devices/system/cpu/online                    r,

    /usr/lib/locale/**                                r,
        /usr/lib/@{ARCH}/gconv/gconv-modules.cache r,

    /proc/{,meminfo,stat,uptime,version}              r,
        /proc/[0-9]*/{cmdline,stat,status,}               r,
        /proc/[0-9]/{cmdline,stat,status}                 r,
        /proc/sys/kernel/pid_max                          r,
        /proc/tty/drivers                                 r,

    deny capability sys_ptrace,

    }

    # Deny
    deny network inet6 stream,
    deny /proc/[0-9]*/net/{if_inet6,ipv6_route}   rw,
    deny /.suspended                              rw,
    deny /boot/initrd.img*                        rw,
    deny /boot/vmlinuz*                           rw,
    deny /var/cache/fontconfig/                   w,
    deny /run/shm/pulse-*                         rw,
    deny /home/.ecryptfs/**                       rw,
    deny @{HOME}/.local/share/gvfs-metadata/**    rw,
    deny @{HOME}/.cache/dconf/**                  rw,
    deny @{HOME}/.cache/event-sound-*             rw,
    deny @{HOME}/.gstreamer-*/**                  rwk,
    deny @{HOME}/.config/ibus/bus/                w,
    deny @{HOME}/.{emacs,dingrc,bashrc,face}      rw,
    deny @{HOME}/.bash_{logout,history}           rw,
    deny @{HOME}/.x{session-errors,bindkeysrc}    rw,
    deny @{HOME}/.{screenrc,profile,lesshst}      rw,
    deny @{HOME}/.{pam_environment,pulse-cookie}  rw,
    deny @{HOME}/.fontconfig/*                    rwk,
    deny /usr/bin/{gtk-gnash,gconftool-2}         x,
    deny /usr/lib/mozilla/extensions/**/          w,
    deny /usr/lib/xulrunner-addons/extensions/**/ w,
    deny /usr/lib/{abrowser,xulrunner}-addons/**  w,
    deny /usr/lib/abrowser/plugin-container       x,
    deny /usr/lib/xulrunner-*/components/*.tmp    w,
    deny /usr/lib/gstreamer-0.10/                 rw,
    deny /usr/lib/@{ARCH}/gstreamer-0.10/         rw,
    deny /usr/share/sounds/ubuntu/index.theme     rw,
    deny /etc/sound/events/gtk-events-2.soundlist rw,
    deny /etc/pulse/client.conf                   rw,
    deny /etc/gai.conf                            r,

}
    evince
    Code:
    @{HOME}=/home/sim/
@{ARCH}=x86_64-linux-gnu

/usr/bin/evince {

    /usr/lib/{,@{ARCH}/}*.so*                                              rm,
    /usr/lib/@{ARCH}/gconv/gconv-modules{,.cache}                          r,
    /usr/lib/@{ARCH}/gconv/*.so                                            rm,
    /usr/lib/@{ARCH}/gio/modules/*.so                                      rm,
    /usr/lib/@{ARCH}/gvfs/*.so                                             rm,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders.cache                r,
    /usr/lib/@{ARCH}/gdk-pixbuf-[0-9]*/[0-9]*/loaders/**.so                rm,
    /usr/lib/@{ARCH}/gtk-[0-9]*/[0-9]*/immodules.cache                     rm,
    /usr/lib/@{ARCH}/gio/modules/{,giomodule.cache}                        r,
    /usr/lib/@{ARCH}/pango/[0-9]*/module-files.d/{,libpango[0-9]*.modules} r,
    /usr/lib/@{ARCH}/pango/[0-9]*/modules/*.so                             rm,
    /usr/lib/locale/locale-archive                                         r,
    /usr/lib/gtk-[0-9]*/[0-9]*/theming-engines/*.so                        rm,
    /usr/lib/evince/4/backends/{,*.evince-backend}                         r,
    /usr/lib/evince/4/backends/*.so                                        rm,
    /usr/lib/ghostscript/                                                  r,
    /usr/lib/ghostscript/[0-9]*/                                           r,
    /usr/lib/ghostscript/[0-9]*/*.so                                       rm,
    /usr/share/{poppler,evince}/**                                         r,
    /usr/share/X11/locale/locale.alias                                     r,
    /usr/share/themes/Default/gtk-[0-9]*/gtk-keys.css                      r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/settings.ini                     r,
    /usr/share/themes/Trisquel/gtk-[0-9]*/{,apps/}*.css                    r,
    /usr/share/X11/locale/locale.dir                                       r,
    /usr/share/X11/locale/en_US.UTF-8/XLC_LOCALE                           r,
    /usr/share/gvfs/remote-volume-monitors/{,*.monitor}                    r,
    /usr/share/icons/{,**}                                                 r,
    /usr/share/mime/*                                                      r,
    /usr/share/fonts/**.{ttf,pfb}                                          r,
    /usr/share/pixmaps/                                                    r,
    /usr/share/applications/evince.desktop                                 r,
    /usr/share/locale-langpack/en/LC_MESSAGES/gtk30.mo                     r,
    /usr/share/glib-[0-9]*/schemas/gschemas.compiled                       r,
    /usr/share/ghostscript/[0-9]*/**                                       r,
    /usr/share/locale-langpack/**.mo                                       r,

    /lib/@{ARCH}/*.so*                                                     rm,

    /etc/{ld.so.cache,localtime,passwd,locale.alias,nsswitch.conf}         r,
    /etc/papersize                                                         r,
    /etc/gtk-3.0/settings.ini                                              r,
    /etc/fonts/**.conf                                                     r,
    /etc/fonts/conf.d/                                                     r,

    /run/gdm/auth-for-*/database                                           r,

    /proc/{filesystems,cpuinfo,stat,meminfo}                               r,
    /proc/[0-9]*/auxv                                                      r,

    /sys/devices/system/cpu/online                                         r,

    /var/cache/fontconfig/{,*.cache*}                                      r,
    /var/lib/ghostscript/fonts/**                                          r,

    owner @{HOME}/.fontconfig/*.LCK                                        l,
    owner @{HOME}/.ICEauthority                                            r,
    owner @{HOME}/.config/evince/**                                        rwk,
    owner @{HOME}/.config/dconf/user                                       r,
    owner @{HOME}/.local/share/recently-used.xbel**                        rwk,
    owner @{HOME}/.local/share/gvfs-metadata/{home,*.log}                  r,
    owner @{HOME}/.cache/dconf/user                                        rwk,

    owner /**.{pdf,ps}                                                     r,

    /dev/urandom                                                           r,

    # Deny
    deny /home/.ecryptfs/** rw,

}
    start-tor-browser
    Code:
    @{TOR}=/opt/tor-browser_en-US/
@{SHARE}=/usr/share/
@{ARCH}=x86_64-linux-gnu

/opt/tor-browser_en-US/start-tor-browser {

    # Tor directory
    owner @{TOR}/Tor/tor                       r,
    owner @{TOR}/start-tor-browser             r,
    owner @{TOR}/Browser/firefox               Px,

    /etc/{magic,ld.so.cache,locale.alias}      r,

    /{,var/}run/utmp                           r,

    /usr/bin/{getconf,dirname}                 Cx,

    @{SHARE}/file/magic{/,.mgc}                r,

    /lib/@{ARCH}/*.so                          rm,

    /dev/null                                  rw,

    /usr/share/locale-langpack/en/LC_MESSAGES/ r,
    /usr/lib/locale/locale-archive             r,

    profile /usr/bin/getconf {

        /usr/bin/getconf                           r,
        /usr/share/locale-langpack/en/LC_MESSAGES/ r,
        /usr/lib/locale/locale-archive             r,

        /dev/null                                  r,

        /lib/@{ARCH}/*.so                          rm,

        /etc/{ld.so.cache,locale.alias}            r,

    }

    profile /usr/bin/dirname {

        /usr/bin/dirname                r,
        /usr/lib/locale/locale-archive  r,

        /dev/null                       rw,

        /lib/@{ARCH}/*.so               rm,

        /etc/{ld.so.cache,locale.alias} r,

    }

    # Deny
    deny /bin/{grep,ps,mkdir,sed,ln}    rwx,
    deny /usr/bin/{expr,file,id,zenity} rwx,

}
    tor
    Code:
    @{TOR}=/opt/tor-browser_en-US/
@{ARCH}=x86_64-linux-gnu

#include <tunables/global>

/opt/tor-browser_en-US/Tor/tor {

  network tcp,

  owner @{TOR}/Tor/tor                rm,
  owner @{TOR}/Data/Tor/*             rw,
  owner @{TOR}/Data/Tor/lock          rwk,
  owner @{TOR}/Lib/*.so*              rm,

  /etc/{host,resolv,nsswitch}.conf    r,
  /etc/{passwd,ld.so.cache,localtime} r,

  /proc/{meminfo,cpuinfo,stat}        r,
  /proc/sys/kernel/random/uuid        r,

  /sys/devices/system/cpu/{,online}   r,

  /dev/null                           rw,
  /dev/{urandom,random}               r,

  /lib/@{ARCH}/*.so*                  rm,

  /usr/lib/*.so*                      rm,

}
    tor-browser
    Code:
    @{TOR}=/opt/tor-browser_en-US/
@{SHARE}=/usr/share/
@{HOME}=/home/sim/
@{ARCH}=x86_64-linux-gnu

/opt/tor-browser_en-US/Browser/firefox {

    network tcp,

    owner @{TOR}/Tor/tor                                   Px,
    owner @{TOR}/.fontconfig/**                            rwl,
    owner @{TOR}/.cache/                                   rwk,
    owner @{TOR}/Browser/**                                r,
    owner @{TOR}/Browser/*.so                              rm,
    owner @{TOR}/Browser/{,browser/}components/*.so        rm,
    owner @{TOR}/Data/Browser/                             r,
    owner @{TOR}/Data/Browser/**                           rwk,

    owner @{HOME}/{,Downloads/}                            r,
    owner @{HOME}/Downloads/**                             rw,
    owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini       r,
    owner @{HOME}/.{icons,themes}/{,**}                    r,
    owner @{HOME}/.local/share/icons/                      r,
    owner @{HOME}/.local/share/gvfs-metadata/home*         r,
    owner @{HOME}/.local/share/applications/mimeapps.list  r,

    @{SHARE}/applications/{,mimeinfo.cache*.desktop}       r,
    @{SHARE}/gnome/applications/mime{apps.list,info.cache} r,
    @{SHARE}/{fonts,icons}/{,**}                           r,
    @{SHARE}/gvfs/remote-volume-monitors/{,*.monitor}      r,
    @{SHARE}/{,mime,pixmaps}/                              r,
    @{SHARE}/zoneinfo/Zulu                                 r,
    @{SHARE}/{poppler,themes,pixmaps,mime}/**              r,

    /etc/X11/cursors/*                                     r,
    /etc/fonts/**                                          r,
    /etc/gnome/defaults.list                               r,
    /etc/gnome-vfs-2.0/modules/{,*.conf}                   r,
    /etc/{drirc,ld.so.cache,locale.alias,localtime}        r,
    /etc/{mailcap,mime.types,passwd}                       r,

    /bin/dash                                    r,

    /dev/dri/card0                               r,
    /dev/null                                    rw,
    /dev/urandom                                 r,

    /lib{,32,64}/*.so*                           rm,
    /lib/@{ARCH}/*.so*                           rm,

    owner /{,var/}run/gdm/auth*/database         r,

    /run/shm/                                    r,
    /run/gdm3/**                                 r,

    /sys/devices/system/cpu/{present,online}     r,

    /var/cache/fontconfig/*                      r,
    /var/lib/dbus/machine-id                     r,
    /var/tmp/                                    r,
    owner /var/tmp/*                             rwk,

    /proc/[0-9]*/{stat,maps}                     r,
    owner /proc/[0-9]*/task/[0-9]*/stat          r,
    /proc/{meminfo,filesystems}                  r,

    /usr/lib{,32,64}/**                          rm,
    /usr/local/share/fonts/                      r,
    /usr/share/                                  r,
    /usr/share/applications/mimeinfo.cache       r,
    /usr/share/X11/locale/locale.{alias,dir}     r,
    /usr/share/X11/locale/en_US.UTF-8/XLC_LOCALE r,
    /usr/share/zoneinfo/**                       r,

    /tmp/{,**}                                   r,
    owner /tmp/**                                w,

    # Deny
    deny /etc/{host.conf,hosts,nsswitch.conf,resolv.conf}         rw,
    deny /etc/sound/**                                            rw,
    deny /etc/pulse/client.conf                                   rw,
    deny /run/resolvconf/resolv.conf                              rw,
    deny /run/shm/pulse-*                                         rw,
    deny /proc/[0-9]*/mountinfo                                   rw,
    deny @{HOME}/.{gtk-bookmarks,ICEauthority,bash_logout}        rw,
    deny @{HOME}/.{pulse-cookie,bash_history,face,disablecompiz}  rw,
    deny @{HOME}/.{xsession-errors,screenrc,bashrc,dingrc}        rw,
    deny @{HOME}/.config/ibus/**                                  rw,
    deny @{HOME}/.config/user-dirs.dirs                           rw,
    deny @{HOME}/.local/share/recently-used.xbel*                 rw,
    deny /home/.ecryptfs/{,**}                                    rw,
    deny /usr/share/{libthai,sounds}/**                           rw,
    deny /usr/share/applications/*.desktop                        rw,
    deny /opt/tor-browser_en-US/.cache/event-sound*               rw,
    deny /opt/tor-browser_en-US/.pulse-cookie                     rw,
    deny /dev/dri/card0                                           rw,
    deny /bin/dash                                                rwx,
    deny /var/cache/fontconfig/                                   w,
    deny network dgram,

}
     
    _Sim_, Jul 18, 2014
    #3
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    I believe that for multiuser compatibility you can use /home/*/<whatever>. Remember, AppArmor does not replace DAC, it is in addition to DAC permissions. If user Jack does not have access to user Bob's home directory, AppArmor is not going to grant it.

    Nice what you did with evince BTW, giving it automatic read permissions to PDF/PS files and little else.
     
    Gullible Jones, Jul 18, 2014
    #4
  5. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Thanks Sim. I like how you set your own tunables. It cleans things up nicely.

    Those were written for Intel graphics and a distro pre 14.04/Jessie using Gnome Shell, is that correct?
     
    shuverisan, Jul 18, 2014
    #5
  6. _Sim_

    _Sim_ Registered Member

    Joined:
    Mar 2, 2014
    Posts:
    15
    Yes, these Apparmor profiles are written for Intel graphics. I am using Trisquel, which is a complete free Gnu/Linux distribution supported by the Free Software Foundation, and a self-compiled kernel (GNU Linux-libre 3.14.12 + Grsecurity). That's why Firefox is called Abrowser on my system. Trisquel 6 based on Ubuntu 12.04 (Precise). Maybe the sound will not work when someone uses my Apparmor profiles, because I use a different computer for Youtube, music and movies.

    I have seen that you use an additional profile for Thunderbird (thunderbird.sh) and Firefox (firefox.sh). Is this more secure?
    dbus messaging rules as in your profiles I have never seen before. Nice.
     
    _Sim_, Jul 19, 2014
    #6
  7. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    From what I've seen, the Firefox script is now only used on first start (I think I read that on the Apparmor mailing list) and a profile migration helper (says the script itself). It used to launch the browser on more occasions but since I don't know when exactly it's being used, I've kept the .sh profile around. Thunderbird may still launch through the script since it's been frozen on version 24 for so long. I haven't checked.

    Apparmor got pretty good Dbus mediation in 13.10. 14.04 brought ptrace and interprocess signal limiting. It's still a bit coarse but is on track for improvement.
    https://blueprints.launchpad.net/ubuntu/ spec/appdev-s-appisolation-signals-ipc-ptrace
     
    shuverisan, Jul 21, 2014
    #7
  8. _Sim_

    _Sim_ Registered Member

    Joined:
    Mar 2, 2014
    Posts:
    15
    Thanks for the information.
     
    _Sim_, Jul 23, 2014
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...