Created
October 12, 2016 11:19
-
-
Save mauron85/6b6d346b2fbd8dc9070711679546bfda to your computer and use it in GitHub Desktop.
Google Chrome AppArmor profile for Ubuntu 16.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last Modified: Wed Oct 12 13:00:00 2016 | |
| # All credits to: | |
| # https://github.com/detrout/apparmor-det/ | |
| # Helpful links: | |
| # https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465 | |
| # http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html | |
| #include <tunables/global> | |
| /opt/google/chrome/chrome { | |
| #include <abstractions/audio> | |
| #include <abstractions/base> | |
| ##include <abstractions/ubuntu-browsers.d/java> | |
| #include <abstractions/dbus> | |
| #include <abstractions/dbus-session> | |
| #include <abstractions/dbus-accessibility> | |
| #include <abstractions/gnome> | |
| #/usr/bin/kde4-config rix, | |
| #/home/*/.kde/share/config/kdeglobals r, | |
| #/home/*/.kde/share/config/gtkrc-2.0 r, | |
| #/home/*/.kde/share/config/kioslaverc r, | |
| #/home/*/.kde/share/config/oxygenrc r, | |
| #include <abstractions/fonts> | |
| #include <abstractions/nvidia> | |
| #include <abstractions/video> | |
| #capability kill, | |
| #capability net_admin, | |
| #capability net_raw, | |
| #capability setgid, | |
| capability sys_admin, | |
| #capability sys_module, | |
| #capability sys_ptrace, | |
| #capability sys_nice, | |
| capability sys_chroot, | |
| #capability setuid, | |
| #capability dac_override, | |
| #capability dac_read_search, | |
| #capability fowner, | |
| #capability chown, | |
| #capability setpcap, | |
| #capability mknod, | |
| #capability fsetid, | |
| #capability ipc_lock, | |
| #capability audit_write, | |
| # Needed for vfio | |
| #capability sys_resource, | |
| network inet stream, | |
| network inet dgram, | |
| network inet6 stream, | |
| network inet6 dgram, | |
| network packet dgram, | |
| network netlink, | |
| /bin/which rix, | |
| /dev/ r, | |
| /dev/video* rw, | |
| /etc/fstab r, | |
| /etc/gai.conf r, | |
| /etc/group r, | |
| /etc/host.conf r, | |
| /etc/hosts r, | |
| /etc/lsb-release r, | |
| /etc/mtab r, | |
| /etc/nsswitch.conf r, | |
| /etc/passwd r, | |
| /etc/python2.7/sitecustomize.py r, | |
| /etc/resolv.conf r, | |
| /etc/udev/udev.conf r, | |
| owner /home/*/ r, | |
| /home/*/.ICEauthority r, | |
| /home/*/.Xauthority r, | |
| /home/*/.cache/dconf/user rw, | |
| /home/*/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw, | |
| /home/*/.cache/google-chrome/ rw, | |
| /home/*/.cache/google-chrome/** rw, | |
| /home/*/.cache/google-chrome/Default/Cache/* rw, | |
| /home/*/.cache/google-chrome/Default/Media*/* rw, | |
| /home/*/.config/dconf/user r, | |
| /home/*/.config/google-chrome/ rw, | |
| /home/*/.config/google-chrome/** rwk, | |
| /home/*/.config/ibus/bus/ w, | |
| /home/*/.config/user-dirs.dirs r, | |
| /home/*/.config/oxygen-gtk/* rw, | |
| /home/*/.fontconfig/* r, | |
| /home/*/.gksu.lock r, | |
| /home/*/.goutputstream-* r, | |
| /home/*/.gtk-bookmarks r, | |
| /home/*/.icons/ r, | |
| /home/*/.local/share/icons/ r, | |
| /home/*/.local/share/icons/** r, | |
| /home/*/.local/share/mime/* r, | |
| /home/*/.local/share/recently-used.xbel* rw, | |
| /home/*/.mozilla/firefox/*.default/compatibility.ini r, | |
| /home/*/.mozilla/firefox/profiles.ini r, | |
| /home/*/.nv/GLCache/ r, | |
| /home/*/.nv/GLCache/** rwk, | |
| /home/*/.pki/nssdb/* r, | |
| /home/*/.pki/nssdb/*.db rwk, | |
| /home/*/.pulse-cookie rwk, | |
| /home/*/.thumbnails/normal/* r, | |
| /home/*/.xsession-errors r, | |
| /home/*/.config/ibus/bus/* r, | |
| owner /home/*/Downloads/ r, | |
| owner /home/*/Downloads/** rw, | |
| owner /home/*/Public/ r, | |
| owner /home/*/Public/** r, | |
| /opt/google/chrome/** r, | |
| /opt/google/chrome/*.so mr, | |
| /opt/google/chrome/lib/*.so mr, | |
| /opt/google/chrome/PepperFlash/libpepflashplayer.so mr, | |
| /opt/google/chrome/chrome mrix, | |
| /opt/google/chrome/chrome-sandbox rPx, | |
| /opt/google/chrome/extensions/ rw, | |
| /opt/google/chrome/google-chrome Px, | |
| /opt/google/chrome/nacl_helper_bootstrap Px, | |
| /opt/google/chrome/nacl_helper rix, | |
| /opt/google/chrome/xdg-settings Cx, | |
| /proc/ r, | |
| /proc/[0-9]*/cmdline r, | |
| /proc/[0-9]*/fd/ r, | |
| /proc/[0-9]*/io r, | |
| /proc/[0-9]*/maps r, | |
| /proc/[0-9]*/mounts r, | |
| /proc/[0-9]*/oom_score_adj w, | |
| /proc/[0-9]*/stat r, | |
| /proc/[0-9]*/statm r, | |
| /proc/[0-9]*/status r, | |
| /proc/[0-9]*/task/ r, | |
| /proc/[0-9]*/task/[0-9]*/stat r, | |
| /proc/cpuinfo r, | |
| /proc/filesystems r, | |
| /proc/meminfo r, | |
| /proc/sys/kernel/shmmax r, | |
| /proc/sys/kernel/yama/ptrace_scope r, | |
| /proc/sys/net/ipv4/tcp_fastopen r, | |
| /proc/[0-9]*/setgroups w, | |
| /proc/[0-9]*/uid_map w, | |
| /proc/[0-9]*/gid_map w, | |
| /run/resolvconf/resolv.conf r, | |
| /run/shm/.com.google.Chrome.* rw, | |
| /run/shm/com.google.Chrome.shmem.* rw, | |
| /run/user/[0-9]*/dconf/user rw, | |
| /run/dbus/system_bus_socket rw, | |
| /selinux/ r, | |
| /sys/bus/pci/devices/ r, | |
| /sys/devices/pci[0-9]*/**/class r, | |
| /sys/devices/pci[0-9]*/**/device r, | |
| /sys/devices/pci[0-9]*/**/irq r, | |
| /sys/devices/pci[0-9]*/**/resource r, | |
| /sys/devices/pci[0-9]*/**/vendor r, | |
| /sys/devices/pci[0-9]*/**/idProduct r, | |
| /sys/devices/pci[0-9]*/**/idVendor r, | |
| /sys/devices/system/cpu/ r, | |
| /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r, | |
| /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r, | |
| /tmp/ r, | |
| /tmp/* mrw, | |
| /tmp/.com.google.Chrome.*/ rw, | |
| /tmp/.com.google.Chrome.*/Singleton* w, | |
| /tmp/CRX_75DAF8CB7768/ rw, | |
| /tmp/CRX_75DAF8CB7768/* rw, | |
| /tmp/icedteaplugin-*/ w, | |
| /tmp/icedteaplugin-*/[0-9]*-icedteanp-* rw, | |
| /tmp/scoped_dir_*/ rw, | |
| /tmp/scoped_dir_*/.com.google.Chrome.* rw, | |
| /tmp/scoped_dir_*/CRX_INSTALL/ rw, | |
| /tmp/scoped_dir_*/CRX_INSTALL/** rw, | |
| /tmp/scoped_dir*/DECODED* rw, | |
| /tmp/scoped_dir_*/mccea*_[0-9]*.crx rw, | |
| /usr/bin/gnome-mplayer Px, | |
| /usr/bin/lsb_release Cxr, | |
| /usr/bin/python2.7 r, | |
| /usr/bin/xdg-open Cx, | |
| /usr/bin/xdg-settings Cx, | |
| /usr/include/python2.7/pyconfig.h r, | |
| /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so mr, | |
| /usr/lib/mozilla/plugins/gecko-mediaplayer-*.so mr, | |
| /usr/lib/mozilla/plugins/gecko-mediaplayer.so mr, | |
| /usr/lib/totem/totem-plugin-viewer Px, | |
| /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr, | |
| /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr, | |
| /usr/local/lib/python2.7/dist-packages/ r, | |
| /usr/share/X11/XErrorDB r, | |
| /usr/share/glib-2.0/schemas/gschemas.compiled r, | |
| /usr/share/gvfs/remote-volume-monitors/ r, | |
| /usr/share/gvfs/remote-volume-monitors/* r, | |
| /usr/share/icons/ r, | |
| /usr/share/icons/** r, | |
| /usr/share/mime/** r, | |
| /usr/share/misc/pci.ids r, | |
| /usr/share/pixmaps/ r, | |
| /usr/share/pyshared/* r, | |
| /usr/share/themes/** r, | |
| /var/tmp/ r, | |
| /var/tmp/* rw, | |
| owner /{run,dev}/shm/pulse-shm* k, | |
| /{run,dev}/shm/pulse-shm* rw, | |
| /dev/shm/.com.google* rw, | |
| profile /opt/google/chrome/xdg-settings { | |
| /bin/dash r, | |
| /bin/grep rix, | |
| /bin/readlink rix, | |
| /bin/sed rix, | |
| /bin/which rix, | |
| /dev/null w, | |
| /etc/gnome/defaults.list r, | |
| /etc/ld.so.cache r, | |
| /etc/locale.alias r, | |
| /usr/share/applications/google-chrome.desktio r, | |
| /home/*/.local/share/applications/ r, | |
| /home/*/.local/share/applications/google-chrome.desktop r, | |
| /home/*/.local/share/applications/mimeapps.list r, | |
| /lib/x86_64-linux-gnu/ld-*.so r, | |
| /lib/x86_64-linux-gnu/libc-*.so mr, | |
| /lib/x86_64-linux-gnu/libdl-*.so mr, | |
| /lib/x86_64-linux-gnu/libm-*.so mr, | |
| /lib/x86_64-linux-gnu/libselinux.so.* mr, | |
| /opt/google/chrome/xdg-settings r, | |
| /proc/*/maps r, | |
| /proc/filesystems r, | |
| /usr/bin/basename rix, | |
| /usr/bin/cut rix, | |
| /usr/bin/gawk rix, | |
| /usr/bin/mawk rix, | |
| /usr/bin/xdg-mime rix, | |
| /usr/lib/libsigsegv.so.* mr, | |
| /usr/lib/locale/** r, | |
| /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r, | |
| } | |
| profile /usr/bin/lsb_release flags=(complain) { | |
| #include <abstractions/base> | |
| #include <abstractions/python> | |
| /usr/bin/lsb_release rix, | |
| /bin/dash ixr, | |
| /usr/bin/dpkg-query ixr, | |
| /usr/include/python2.[4567]/pyconfig.h r, | |
| /etc/lsb-release r, | |
| /etc/debian_version r, | |
| /etc/dpkg/origins/debian r, | |
| /var/lib/dpkg/** r, | |
| /usr/local/lib/python3.[0-4]/dist-packages/ r, | |
| /usr/bin/ r, | |
| /usr/bin/python3.[0-4] r, | |
| /usr/bin/python2.7 r, | |
| } | |
| profile /usr/bin/xdg-open { | |
| #include <abstractions/base> | |
| /bin/dash r, | |
| /etc/gnome/defaults.list r, | |
| /etc/nsswitch.conf r, | |
| /etc/passwd r, | |
| /home/*/.local/share/applications/mimeapps.list r, | |
| /home/*/.local/share/applications/mimeinfo.cache r, | |
| /home/*/.local/share/mime/* r, | |
| /proc/*/fd/ r, | |
| /usr/bin/evince Px, | |
| /usr/bin/gnome-open rix, | |
| /usr/bin/gvfs-open rix, | |
| /usr/bin/transmission-gtk Px, | |
| /usr/bin/xdg-open r, | |
| /usr/share/applications/*.desktop r, | |
| /usr/share/applications/evince.desktop r, | |
| /usr/share/applications/gimp.desktop r, | |
| /usr/share/applications/mimeinfo.cache r, | |
| /usr/share/mime/* r, | |
| } | |
| profile /usr/bin/xdg-settings { | |
| /bin/cat rix, | |
| /bin/dash r, | |
| /bin/grep rix, | |
| /bin/readlink rix, | |
| /bin/sed rix, | |
| /bin/which rix, | |
| /usr/bin/tr rix, | |
| /dev/null w, | |
| /etc/gnome/defaults.list r, | |
| /etc/ld.so.cache r, | |
| /etc/locale.alias r, | |
| /usr/share/applications/google-chrome.desktop r, | |
| /usr/share/locale-langpack/** r, | |
| /home/*/.local/share/applications/google-chrome.desktop r, | |
| /home/*/.local/share/applications/mimeapps.list r, | |
| /home/*/.config/mimeapps.list r, | |
| /lib/x86_64-linux-gnu/ld-*.so r, | |
| /lib/x86_64-linux-gnu/libc-*.so mr, | |
| /lib/x86_64-linux-gnu/libdbus-1.so.* mr, | |
| /lib/x86_64-linux-gnu/libdl-*.so mr, | |
| /lib/x86_64-linux-gnu/libglib-2.0.so.* mr, | |
| /lib/x86_64-linux-gnu/libm-*.so mr, | |
| /lib/x86_64-linux-gnu/libpcre.so.* mr, | |
| /lib/x86_64-linux-gnu/libpthread-*.so mr, | |
| /lib/x86_64-linux-gnu/libresolv-*.so mr, | |
| /lib/x86_64-linux-gnu/librt-*.so mr, | |
| /lib/x86_64-linux-gnu/libselinux.so.* mr, | |
| /lib/x86_64-linux-gnu/libz.so.* mr, | |
| /lib/x86_64-linux-gnu/libreadline.so.* mr, | |
| /proc/[0-9]*/maps r, | |
| /proc/filesystems r, | |
| /usr/bin/basename rix, | |
| /usr/bin/cut rix, | |
| /usr/bin/head rix, | |
| /usr/bin/gawk rix, | |
| /usr/bin/gconftool-2 rix, | |
| /usr/bin/mawk rix, | |
| /usr/bin/xdg-mime rix, | |
| /usr/bin/xdg-settings r, | |
| /usr/bin/kde4-config rix, | |
| /usr/bin/ktraderclient rix, | |
| /usr/bin/kreadconfig rix, | |
| /usr/lib/libsigsegv.so.* mr, | |
| /usr/lib/locale/** r, | |
| /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r, | |
| /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libffi.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libxml2.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libsigsegv.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libreadline.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libmpfr.so.* mr, | |
| /usr/lib/x86_64-linux-gnu/libgmp.so.* mr, | |
| /lib/x86_64-linux-gnu/libtinfo.so.* mr, | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last Modified: Wed Oct 12 13:00:00 2016 | |
| # All credits to: | |
| # https://github.com/detrout/apparmor-det/ | |
| # Helpful links: | |
| # https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465 | |
| # http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html | |
| #include <tunables/global> | |
| /opt/google/chrome/chrome-sandbox { | |
| capability chown, | |
| ## capability dac_override, | |
| capability fsetid, | |
| capability setgid, | |
| capability setuid, | |
| capability sys_admin, | |
| capability sys_chroot, | |
| capability sys_ptrace, | |
| /etc/ld.so.cache r, | |
| /lib/@{multiarch}/ld-*.so* mr, | |
| /lib/x86_64-linux-gnu/libattr.so* mr, | |
| /lib/x86_64-linux-gnu/libc-*.so mr, | |
| /lib/x86_64-linux-gnu/libcap.so* mr, | |
| /lib/x86_64-linux-gnu/libexpat.so* mr, | |
| /lib/x86_64-linux-gnu/librt-*.so mr, | |
| /lib/x86_64-linux-gnu/libdl-*.so mr, | |
| /lib/x86_64-linux-gnu/libglib-*.so* mr, | |
| /lib/x86_64-linux-gnu/libgcc_s.so* mr, | |
| /lib/x86_64-linux-gnu/libm-*.so mr, | |
| /lib/x86_64-linux-gnu/libpcre.so* mr, | |
| /lib/x86_64-linux-gnu/libpng*.so* mr, | |
| /lib/x86_64-linux-gnu/libpthread-*.so mr, | |
| /lib/x86_64-linux-gnu/libz.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libcairo.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libfontconfig.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libfreetype.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libpixman-*.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libnss3.so mr, | |
| /usr/lib/x86_64-linux-gnu/nss/*.so mr, | |
| /usr/lib/x86_64-linux-gnu/libnssutil3.so mr, | |
| /usr/lib/x86_64-linux-gnu/libnspr4.so mr, | |
| /usr/lib/x86_64-linux-gnu/libplc4.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libplds*.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libstdc++.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libxcb.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libxcb-render.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libXau.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libXdmcp.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libXrender.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libXext.so* mr, | |
| /usr/lib/x86_64-linux-gnu/libX11.so* mr, | |
| /dev/urandom r, | |
| /sys/devices/system/cpu/online r, | |
| /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r, | |
| /proc/ r, | |
| /proc/*/fd/ r, | |
| /proc/cpuinfo r, | |
| /proc/stat r, | |
| owner /tmp/** rw, | |
| @{PROC}/ r, | |
| @{PROC}/[0-9]*/ r, | |
| @{PROC}/[0-9]*/fd/ r, | |
| @{PROC}/[0-9]*/oom_adj w, | |
| @{PROC}/[0-9]*/oom_score_adj w, | |
| @{PROC}/[0-9]*/task/ r, | |
| @{PROC}/[0-9]*/task/[0-9]*/stat r, | |
| # Transition to main chrome binary | |
| /opt/google/chrome/chrome rPx, | |
| /opt/google/chrome/chrome-sandbox r, | |
| /opt/google/chrome/nacl_helper rix, | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last Modified: Wed Oct 12 13:00:00 2016 | |
| # All credits to: | |
| # https://github.com/detrout/apparmor-det/ | |
| # Helpful links: | |
| # https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465 | |
| # http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html | |
| #include <tunables/global> | |
| /opt/google/chrome/google-chrome { | |
| #include <abstractions/base> | |
| #include <abstractions/bash> | |
| /bin/bash rix, | |
| /bin/cat rix, | |
| /bin/dash r, | |
| /bin/grep rix, | |
| /bin/mkdir rix, | |
| /bin/readlink rix, | |
| /bin/which rix, | |
| /dev/tty rw, | |
| /opt/google/chrome/chrome Px, | |
| /opt/google/chrome/google-chrome r, | |
| /proc/filesystems r, | |
| /usr/bin/dirname rix, | |
| /usr/bin/zenity rix, | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last Modified: Wed Oct 12 13:00:00 2016 | |
| # All credits to: | |
| # https://github.com/detrout/apparmor-det/ | |
| # Helpful links: | |
| # https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465 | |
| # http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html | |
| #include <tunables/global> | |
| /opt/google/chrome/nacl_helper_bootstrap { | |
| #include <abstractions/base> | |
| /opt/google/chrome/nacl_helper mr, | |
| /opt/google/chrome/nacl_helper_bootstrap mr, | |
| /proc/cpuinfo r, | |
| /proc/filesystems r, | |
| /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment