first commit

etc_org/apparmor.d/abstractions/lightdm

@@ -0,0 +1,113 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm guest session
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+
+# This abstraction provides the majority of the confinement for guest sessions.
+# It is in its own abstraction so we can have a centralized place for
+# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
+# etc). Note that this profile intentionally omits chromium-browser.
+
+# Requires apparmor 2.9
+
+  #include <abstractions/authentication>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus>
+  #include <abstractions/dbus-session>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+
+  # bug in compiz https://launchpad.net/bugs/697678
+  /etc/compizconfig/config rw,
+  /etc/compizconfig/unity.ini rw,
+
+  / r,
+  /bin/ rmix,
+  /bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
+  /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /{,run/}media/ r,
+  owner /{,run/}media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/[0-9]*/net/ r,
+  @{PROC}/[0-9]*/net/dev r,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  @{PROC}/sys/vm/overcommit_memory r,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  # needed for bamfdaemon and utilities such as ps and killall
+  @{PROC}/*/stat r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  # needed for confined trusted helpers, such as dbus-daemon
+  /sys/kernel/security/apparmor/.access rw,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/screen/** wl,
+  /{,var/}run/shm/** wl,
+  /{,var/}run/uuidd/request w,
+  # libpam-xdg-support/logind
+  owner /{,var/}run/user/*/** rw,
+
+  capability ipc_lock,
+
+  # allow processes in the guest session to signal and ptrace each other
+  signal peer=@{profile_name},
+  ptrace peer=@{profile_name},
+  # needed when logging out of the guest session
+  signal (receive) peer=unconfined,
+
+  unix peer=(label=@{profile_name}),
+  unix (receive) peer=(label=unconfined),
+  unix (create),
+  unix (getattr, getopt, setopt, shutdown),
+  unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
+  unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
+  unix (bind, listen) type=stream addr="@guest*",
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
+  unix (connect, receive, send) type=stream peer=(addr="@guest*"),
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,

etc_org/apparmor.d/abstractions/lightdm_chromium-browser

@@ -0,0 +1,74 @@
+# vim:syntax=apparmor
+# Profile abstraction for restricting chromium in the lightdm guest session
+# Author: Jamie Strandboge <jamie@canonical.com>
+
+# The abstraction provides the additional accesses required to launch
+# chromium based browsers from within an lightdm session. Because AppArmor
+# cannot yet merge profiles and because we want to utilize the access rules
+# provided in abstractions/lightdm, this abstraction must be separate from
+# abstractions/lightdm.
+
+# Requires apparmor 2.9
+
+  /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+  /usr/bin/webapp-container Cx -> chromium,
+  /usr/bin/webbrowser-app Cx -> chromium,
+  /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
+  /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
+  /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
+  /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
+  /opt/google/chrome/google-chrome Cx -> chromium,
+
+  # Allow ptracing processes in the chromium child profile
+  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+  # Allow receiving and sending signals to processes in the chromium child profile
+  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+  # Allow communications with chromium child profile via unix sockets
+  unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
+
+  profile chromium {
+    # Allow all the same accesses as other applications in the guest session
+    #include <abstractions/lightdm>
+
+    # but also allow a few things because of chromium-browser's sandboxing that
+    # are not appropriate to other guest session applications.
+    owner @{PROC}/[0-9]*/oom_{,score_}adj w,
+    @{PROC}/sys/kernel/shmmax r,
+    capability sys_admin,  # for sandbox to change namespaces
+    capability sys_chroot, # fod sandbox to chroot to a safe directory
+    capability setgid,     # for sandbox to drop privileges
+    capability setuid,     # for sandbox to drop privileges
+    capability sys_ptrace, # chromium needs this to keep track of itself
+    @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+    # Allow ptrace reads of processes in the lightdm-guest-session
+    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
+    # Allow other guest session processes to read and trace us
+    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
+    ptrace (readby, tracedby) peer=@{profile_name},
+
+    # Allow us to receive and send signals from processes in the
+    # lightdm-guest-session
+    signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
+
+    # Allow us to receive and send on unix sockets from processes in the
+    # lightdm-guest-session
+    unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
+
+    @{PROC}/[0-9]*/ r,                 # sandbox wants these
+    @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
+    @{PROC}/[0-9]*/statm r,            # sandbox wants these
+    @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
+
+    owner @{PROC}/@{pid}/setgroups w,
+    owner @{PROC}/@{pid}/uid_map w,
+    owner @{PROC}/@{pid}/gid_map w,
+
+    /selinux/ r,
+
+    /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+    /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+    /opt/google/chrome-*/chrome-sandbox ix,
+  }

etc_org/apparmor.d/abstractions/ubuntu-browsers.d/firefox

@@ -0,0 +1,14 @@
+# This file is updated by 'aa-update-browser' and may be overwritten on
+# upgrades.
+#
+# For site-specific adjustments, please see /etc/apparmor.d/local/<binary>
+
+#include <abstractions/ubuntu-browsers.d/plugins-common>
+#include <abstractions/ubuntu-browsers.d/mailto>
+#include <abstractions/ubuntu-browsers.d/multimedia>
+#include <abstractions/ubuntu-browsers.d/productivity>
+#include <abstractions/ubuntu-browsers.d/java>
+#include <abstractions/ubuntu-browsers.d/kde>
+#include <abstractions/ubuntu-browsers.d/text-editors>
+#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+#include <abstractions/ubuntu-browsers.d/user-files>