>From 3d35e9547fae383afd004608c9da646377caab66 Mon Sep 17 00:00:00 2001
Message-Id: <3d35e9547fae383afd004608c9da646377caab66.1506853631.git.agx@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sat, 30 Sep 2017 11:26:15 +0200
Subject: [PATCH] Add apparmor profile

The profile is based on the Ubuntu one and the one provided by Daniel
Richard G.
---
 debian/apparmor/usr.bin.chromium | 304 +++++++++++++++++++++++++++++++++++++++
 debian/chromium.install          |   2 +
 debian/control                   |   1 +
 debian/rules                     |   1 +
 4 files changed, 308 insertions(+)
 create mode 100644 debian/apparmor/usr.bin.chromium

diff --git a/debian/apparmor/usr.bin.chromium b/debian/apparmor/usr.bin.chromium
new file mode 100644
index 0000000..472664d
--- /dev/null
+++ b/debian/apparmor/usr.bin.chromium
@@ -0,0 +1,304 @@
+# Author: Jamie Strandboge <jamie@canonical.com>
+#include <tunables/global>
+
+# Debian compatibility aliases
+# https://bugs.debian.org/742829
+#
+alias /etc/chromium-browser/ -> /etc/chromium/,
+alias /usr/bin/chromium-browser -> /usr/bin/chromium,
+alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox,
+alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium,
+alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/,
+
+# We need 'flags=(attach_disconnected)' in newer chromium versions
+/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
+  #include <abstractions/audio>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-session>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  # Browser specific abstratctions
+  #include <abstractions/ubuntu-browsers.d/plugins-common>
+  #include <abstractions/ubuntu-browsers.d/mailto>
+  #include <abstractions/ubuntu-browsers.d/multimedia>
+  #include <abstractions/ubuntu-browsers.d/productivity>
+  #include <abstractions/ubuntu-browsers.d/java>
+  #include <abstractions/ubuntu-browsers.d/kde>
+  #include <abstractions/ubuntu-browsers.d/text-editors>
+  #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+  #include <abstractions/ubuntu-browsers.d/user-files>
+
+  # Networking
+  network inet stream,
+  network inet6 stream,
+  @{PROC}/[0-9]*/net/if_inet6 r,
+  @{PROC}/[0-9]*/net/ipv6_route r,
+
+  # Should maybe be in abstractions
+  /etc/mime.types r,
+  /etc/mailcap r,
+  /etc/mtab r,
+  /etc/xdg/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+
+  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/filesystems r,
+  @{PROC}/ r,
+  @{PROC}/vmstat r,
+  @{PROC}/[0-9]*/task/[0-9]*/stat r,
+  owner @{PROC}/[0-9]*/cmdline r,
+  owner @{PROC}/[0-9]*/io r,
+  owner @{PROC}/[0-9]*/setgroups w,
+  owner @{PROC}/[0-9]*/{uid,gid}_map w,
+  @{PROC}/[0-9]*/smaps r,
+  owner @{PROC}/[0-9]*/stat r,
+  @{PROC}/[0-9]*/statm r,
+  owner @{PROC}/[0-9]*/status r,
+  owner @{PROC}/[0-9]*/task/[0-9]*/status r,
+  deny @{PROC}/[0-9]*/oom_{,score_}adj w,
+  @{PROC}/sys/kernel/yama/ptrace_scope r,
+  @{PROC}/sys/net/ipv4/tcp_fastopen r,
+  @{PROC}/@{pid}/task/@{tid}/status rw,
+
+  # Newer chromium needs these now
+  /etc/udev/udev.conf r,
+  /sys/devices/**/uevent r,
+  /sys/devices/system/cpu/cpu*/{cpufreq,policy*}/cpuinfo_max_freq r,
+  /sys/devices/system/node/node*/meminfo r,
+  /sys/devices/pci[0-9]*/**/class r,
+  /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/device r,
+  /sys/devices/pci[0-9]*/**/irq r,
+  /sys/devices/pci[0-9]*/**/resource r,
+  /sys/devices/pci[0-9]*/**/revision r,
+  /sys/devices/pci[0-9]*/**/vendor r,
+  /sys/devices/pci[0-9]*/**/subsystem_vendor r,
+  /sys/devices/pci[0-9]*/**/subsystem_device r,
+  /sys/devices/pci[0-9]*/**/removable r,
+  /sys/devices/pci[0-9]*/**/block/**/size r,
+  /sys/devices/virtual/block/**/removable r,
+  /sys/devices/virtual/block/**/size r,
+  /sys/devices/virtual/tty/tty*/active r,
+  # This is requested, but doesn't seem to actually be needed so deny for now
+  deny /run/udev/data/** r,
+
+  # Needed for the crash reporter
+  owner @{PROC}/[0-9]*/auxv r,
+
+  # chromium mmaps all kinds of things for speed.
+  /etc/passwd m,
+  /usr/share/fonts/truetype/**/*.tt[cf] m,
+  /usr/share/fonts/**/*.pfb m,
+  /usr/share/mime/mime.cache m,
+  /usr/share/icons/**/*.cache m,
+  owner /{dev,run}/shm/pulse-shm* m,
+  owner @{HOME}/.local/share/mime/mime.cache m,
+  owner /tmp/** m,
+
+  @{PROC}/sys/kernel/shmmax r,
+  owner /{dev,run}/shm/{,.}org.chromium.* mrw,
+  owner /{,var/}run/shm/shmfd-* mrw,
+
+  /usr/lib/chromium-browser/*.pak mr,
+  /usr/lib/chromium-browser/locales/* mr,
+
+  # Noisy
+  deny /usr/lib/chromium-browser/** w,
+
+  capability sys_admin,
+  capability sys_chroot,
+  capability sys_ptrace,
+
+  # Allow ptracing ourselves
+  ptrace (trace) peer=@{profile_name},
+
+  # Make browsing directories work
+  / r,
+  /**/ r,
+
+  # Allow access to documentation and other files the user may want to look
+  # at in /usr
+  /usr/{include,share,src}** r,
+
+  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+  owner @{HOME}/ r,
+  owner @{HOME}/Public/ r,
+  owner @{HOME}/Public/* r,
+  owner @{HOME}/Downloads/ r,
+  owner @{HOME}/Downloads/* rw,
+
+  # For migration
+  owner @{HOME}/.mozilla/firefox/profiles.ini r,
+  owner @{HOME}/.mozilla/firefox/*/prefs.js r,
+
+  # Helpers
+  /usr/bin/xdg-open ixr,
+  /usr/bin/gnome-open ixr,
+  /usr/bin/gvfs-open ixr,
+  /usr/bin/kdialog ixr,
+  # TODO: xfce
+
+  # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
+  # which is provided by abstractions/ubuntu-browsers.d/user-files).
+  /etc/firefox/profile/bookmarks.html r,
+  owner @{HOME}/.mozilla/** k,
+
+  # Chromium Policies
+  /etc/chromium-browser/policies/** r,
+
+  # Chromium configuration
+  owner @{HOME}/.pki/nssdb/* rwk,
+  owner @{HOME}/.cache/chromium/ rw,
+  owner @{HOME}/.cache/chromium/** rw,
+  owner @{HOME}/.cache/chromium/Cache/* mr,
+  owner @{HOME}/.config/chromium/ rw,
+  owner @{HOME}/.config/chromium/** rwk,
+  owner @{HOME}/.config/chromium/**/Cache/* mr,
+  owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
+  owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
+
+  # Allow transitions to ourself and our sandbox
+  /usr/lib/chromium-browser/chromium-browser ix,
+  /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
+  /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
+
+  # Allow communicating with sandbox
+  unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
+
+  /{usr/,}bin/ps Uxr,
+  /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
+  /usr/bin/xdg-settings Cxr -> xdgsettings,
+  /usr/bin/lsb_release Cxr -> lsb_release,
+
+  # GSettings
+  owner /{,var/}run/user/*/dconf/     rw,
+  owner /{,var/}run/user/*/dconf/user rw,
+  owner @{HOME}/.config/dconf/user r,
+
+  profile xdgsettings {
+    #include <abstractions/bash>
+    #include <abstractions/gnome>
+
+    /{usr/,}bin/dash ixr,
+
+    /etc/ld.so.cache r,
+    /etc/xdg/** r,
+    /usr/bin/xdg-settings r,
+    /usr/lib/chromium-browser/xdg-settings r,
+    /usr/share/applications/*.desktop r,
+    /usr/share/applications/gnome-mimeapps.list r,
+
+    # Checking default browser
+    /{usr/,}bin/grep ixr,
+    /{usr/,}bin/readlink ixr,
+    /{usr/,}bin/sed ixr,
+    /{usr/,}bin/which ixr,
+    /{usr/,}bin/tr ixr,
+    /{usr/,}bin/head ixr,
+    /usr/bin/basename ixr,
+    /usr/bin/cut ixr,
+
+    # Setting the default browser
+    /{usr/,}bin/mkdir ixr,
+    /{usr/,}bin/mv ixr,
+    /{usr/,}bin/touch ixr,
+    /usr/bin/dirname ixr,
+    /usr/bin/gconftool-2 ix,
+    /usr/bin/[gm]awk ixr,
+    /usr/bin/xdg-mime ixr,
+    owner @{HOME}/.local/share/applications/ w,
+    owner @{HOME}/.local/share/applications/mimeapps.list* rw,
+  }
+
+  profile lsb_release {
+    #include <abstractions/base>
+    #include <abstractions/python>
+    /usr/bin/lsb_release r,
+    /{usr/,}bin/dash ixr,
+    /usr/bin/dpkg-query ixr,
+    /usr/include/python2.[4567]/pyconfig.h r,
+    /etc/lsb-release r,
+    /etc/debian_version r,
+    /etc/dpkg/origins/** r,
+    /usr/share/distro-info/** r,
+    /var/lib/dpkg/** r,
+
+    /usr/local/lib/python3.[0-9]/dist-packages/ r,
+    /usr/bin/ r,
+    /usr/bin/python3.[0-9] mr,
+  }
+
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.chromium-browser>
+
+profile chromium_browser_sandbox {
+    # Be fanatical since it is setuid root and don't use an abstraction
+    /{usr/,}lib/libgcc_s.so* mr,
+    /{usr/,}lib/@{multiarch}/libgcc_s.so* mr,
+    /{usr/,}lib{,32,64}/libm-*.so* mr,
+    /{usr/,}lib/@{multiarch}/libm-*.so* mr,
+    /{usr/,}lib{,32,64}/libpthread-*.so* mr,
+    /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
+    /{usr/,}lib{,32,64}/libc-*.so* mr,
+    /{usr/,}lib/@{multiarch}/libc-*.so* mr,
+    /{usr/,}lib{,32,64}/libld-*.so* mr,
+    /{usr/,}lib/@{multiarch}/libld-*.so* mr,
+    /{usr/,}lib{,32,64}/ld-*.so* mr,
+    /{usr/,}lib/@{multiarch}/ld-*.so* mr,
+    /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
+    /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
+    /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
+    /usr/lib/libstdc++.so* mr,
+    /usr/lib/@{multiarch}/libstdc++.so* mr,
+    /etc/ld.so.cache r,
+
+    # Required for dropping into PID namespace. Keep in mind that until the
+    # process drops this capability it can escape confinement, but once it
+    # drops CAP_SYS_ADMIN we are ok.
+    capability sys_admin,
+
+    # All of these are for sanely dropping from root and chrooting
+    capability chown,
+    capability fsetid,
+    capability setgid,
+    capability setuid,
+    capability dac_override,
+    capability sys_chroot,
+
+    capability sys_ptrace,
+    ptrace (read, readby),
+
+    signal (receive) peer=unconfined,
+    signal peer=@{profile_name},
+    signal (receive, send) set=("exists"),
+    signal (receive) peer=/usr/lib/chromium-browser/chromium-browser,
+
+    unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser),
+    unix (create),
+    unix peer=(label=@{profile_name}),
+    unix (getattr, getopt, setopt, shutdown) addr=none,
+
+    @{PROC}/ r,
+    @{PROC}/[0-9]*/ r,
+    @{PROC}/[0-9]*/fd/ r,
+    deny @{PROC}/[0-9]*/oom_adj w,
+    deny @{PROC}/[0-9]*/oom_score_adj w,
+    @{PROC}/[0-9]*/status r,
+    @{PROC}/[0-9]*/task/[0-9]*/stat r,
+
+    /usr/bin/chromium-browser r,
+    /usr/lib/chromium-browser/chromium-browser Px,
+    /usr/lib/chromium-browser/chromium-browser-sandbox r,
+    /usr/lib/chromium-browser/chrome-sandbox mr,
+
+    /dev/null rw,
+
+    owner /tmp/** rw,
+  }
+}
diff --git a/debian/chromium.install b/debian/chromium.install
index 6b20df4..039b43c 100644
--- a/debian/chromium.install
+++ b/debian/chromium.install
@@ -19,3 +19,5 @@ debian/chromium.desktop usr/share/applications
 debian/apikeys etc/chromium.d
 debian/extensions etc/chromium.d
 debian/default-flags etc/chromium.d
+
+debian/apparmor/usr.bin.chromium etc/apparmor.d
diff --git a/debian/control b/debian/control
index 695d483..6e75760 100644
--- a/debian/control
+++ b/debian/control
@@ -9,6 +9,7 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git
 Homepage: http://www.chromium.org/Home
 Build-Depends:
  debhelper (>= 10),
+ dh-apparmor,
  python3,
  pkg-config,
  ninja-build,
diff --git a/debian/rules b/debian/rules
index 8da3679..fe0f6e2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -130,6 +130,7 @@ override_dh_auto_install-arch:
 	    mkdir -p $$dst; \
 	    cp $$file $$dst/chromium.$$ext; \
 	    done
+	dh_apparmor --profile-name=usr.bin.chromium -p chromium
 
 override_dh_fixperms:
 	dh_fixperms --exclude chrome-sandbox
-- 
2.14.1