[apparmor] [patch 1/8] chromium-browser profile

Christian Boltz apparmor at cboltz.de
Wed Feb 12 19:12:13 UTC 2014 

Hello,

Am Dienstag, 11. Februar 2014 schrieb Seth Arnold:
> Author: Jamie Strandboge <jamie at canonical.com>
> Description: chromium-browser profile
> Forwarded: yes
> 
> ---
>  profiles/apparmor.d/usr.bin.chromium-browser |  221

Just to make sure I understand this correct - you propose to add this 
profile to bzr trunk to the set of default profiles, right?

Short summary: The profile contains some restrictions that will result 
in quite some annoyed users (especially the restriction to ~/Public and 
~/Downloads). Therefore I'm not sure if it should be in the set of 
profiles that are enabled by default.

I'm thinking about introducing an "apparmor-profiles-paranoid" package 
(with a big warning that it _will_ break what a typical user often does) 
since some time - maybe this profile would be a reason to finally do it 
;-)

See below for more details.

> Index: b/profiles/apparmor.d/usr.bin.chromium-browser
> ===================================================================
> --- /dev/null
> +++ b/profiles/apparmor.d/usr.bin.chromium-browser
> @@ -0,0 +1,221 @@
> +# Author: Jamie Strandboge <jamie at canonical.com>
> +#include <tunables/global>
> +
> +# We need 'flags=(attach_disconnected)' in newer chromium versions
> +/usr/lib/chromium-browser/chromium-browser
> flags=(attach_disconnected) {
> +  #include <abstractions/audio>
> +  #include <abstractions/cups-client>
> +  #include <abstractions/dbus-session>

just curious - would dbus-session-strict be enough?

> +  #include <abstractions/gnome>
> +  #include <abstractions/ibus>
> +  #include <abstractions/nameservice>
> +  #include <abstractions/user-tmp>
> +
> +  # This include specifies which ubuntu-browsers.d abstractions to
> use. Eg, if +  # you want access to productivity applications, adjust
> the following file +  # accordingly.
> +  #include <abstractions/ubuntu-browsers.d/chromium-browser>

Users of other distributions will *love* ubuntu-browsers.d ;-)

I know that it's only a name, nevertheless it would be a good idea to 
rename it (not the most urgent problem, but... ;-)

[...]
> +  # Default profile allows downloads to ~/Downloads and uploads from
> ~/Public 

This comment is wrong - uploads are allowed from ~/Public/ and 
~/Downloads/ ;-)

That said: yes, I know this setup is very secure, but I'm also sure it 
will cause some ;-) bugreports like "I can't download files to 
~/coolstuff"

The perfect solution would be to wait for the content helper - what's 
the current status there?

> +  owner @{HOME}/ r,
> +  owner @{HOME}/Public/ r,
> +  owner @{HOME}/Public/* r,
> +  owner @{HOME}/Downloads/ r,
> +  owner @{HOME}/Downloads/* rw,
> +
> +  # Helpers
> +  /usr/bin/xdg-open ixr,
> +  /usr/bin/gnome-open ixr,
> +  /usr/bin/gvfs-open ixr,
> +  # TODO: kde, xfce

Oh nice - this TODO will result in the next flood of bugreports 
(according to a survey > 70% of the openSUSE users use KDE as their 
desktop - guess how many annoyed users and bugreports that means...)

Hint: For KDE, it is probably /usr/bin/kde-open

> +  profile xdgsettings {
[...]
> +    # Setting the default browser
[...]
> +    owner @{HOME}/.local/share/applications/ w,

Hmm, why write permissions for the directory?

> +    owner @{HOME}/.local/share/applications/mimeapps.list* rw,

Personally, I'd say a browser should never be allowed to change the 
default browser (and I'd even forbid to check if it is the current 
default browser - I'm not the biggest fan of the "hey, I'm not your 
default browser" warnings ;-)

Additionally, there's a chance that malicious code changes the default 
application for a file the user just downloaded, which could in theory 
cause some delayed remote code execution (somewhat similar to "stored 
XSS")

> +  }
> +
> +  # Site-specific additions and overrides. See local/README for
> details. 
> +  #include <local/usr.bin.chromium-browser>

Hiding this #include between two child profiles is, hmm, interesting ;-)
Can you move it to a more visible place, please? (like the end of the 
main profile, above the child profiles)

> +profile chromium_browser_sandbox {
[...]
> +    # *Sigh*
> +    capability sys_ptrace,

Nice comment, but not too useful for the average user...


Regards,

Christian Boltz
-- 
Graphisch??? Wie meinen? Hast du zuviel Fleisch von zu "gluecklichen"
Rindern gefuttert? *scnr*  Wozu zum Henker sollte man sowas brauchen?
Logo ginge auch per ASCII :)  (Logo?  welches Logo? Wozu ueberhaupt?)
[David Haller in suse-linux]

More information about the AppArmor mailing list