Skip to content

Instantly share code, notes, and snippets.

@mauron85

mauron85/opt.google.chrome.chrome

Created October 12, 2016 11:19
Show Gist options
  • Save mauron85/6b6d346b2fbd8dc9070711679546bfda to your computer and use it in GitHub Desktop.
Save mauron85/6b6d346b2fbd8dc9070711679546bfda to your computer and use it in GitHub Desktop.
Download ZIP
Google Chrome AppArmor profile for Ubuntu 16.04
Raw
opt.google.chrome.chrome
# Last Modified: Wed Oct 12 13:00:00 2016
# All credits to:
# https://github.com/detrout/apparmor-det/
# Helpful links:
# https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465
# http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
#include <tunables/global>
/opt/google/chrome/chrome {
#include <abstractions/audio>
#include <abstractions/base>
##include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/gnome>
#/usr/bin/kde4-config rix,
#/home/*/.kde/share/config/kdeglobals r,
#/home/*/.kde/share/config/gtkrc-2.0 r,
#/home/*/.kde/share/config/kioslaverc r,
#/home/*/.kde/share/config/oxygenrc r,
#include <abstractions/fonts>
#include <abstractions/nvidia>
#include <abstractions/video>
#capability kill,
#capability net_admin,
#capability net_raw,
#capability setgid,
capability sys_admin,
#capability sys_module,
#capability sys_ptrace,
#capability sys_nice,
capability sys_chroot,
#capability setuid,
#capability dac_override,
#capability dac_read_search,
#capability fowner,
#capability chown,
#capability setpcap,
#capability mknod,
#capability fsetid,
#capability ipc_lock,
#capability audit_write,
# Needed for vfio
#capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network netlink,
/bin/which rix,
/dev/ r,
/dev/video* rw,
/etc/fstab r,
/etc/gai.conf r,
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
/etc/lsb-release r,
/etc/mtab r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/python2.7/sitecustomize.py r,
/etc/resolv.conf r,
/etc/udev/udev.conf r,
owner /home/*/ r,
/home/*/.ICEauthority r,
/home/*/.Xauthority r,
/home/*/.cache/dconf/user rw,
/home/*/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw,
/home/*/.cache/google-chrome/ rw,
/home/*/.cache/google-chrome/** rw,
/home/*/.cache/google-chrome/Default/Cache/* rw,
/home/*/.cache/google-chrome/Default/Media*/* rw,
/home/*/.config/dconf/user r,
/home/*/.config/google-chrome/ rw,
/home/*/.config/google-chrome/** rwk,
/home/*/.config/ibus/bus/ w,
/home/*/.config/user-dirs.dirs r,
/home/*/.config/oxygen-gtk/* rw,
/home/*/.fontconfig/* r,
/home/*/.gksu.lock r,
/home/*/.goutputstream-* r,
/home/*/.gtk-bookmarks r,
/home/*/.icons/ r,
/home/*/.local/share/icons/ r,
/home/*/.local/share/icons/** r,
/home/*/.local/share/mime/* r,
/home/*/.local/share/recently-used.xbel* rw,
/home/*/.mozilla/firefox/*.default/compatibility.ini r,
/home/*/.mozilla/firefox/profiles.ini r,
/home/*/.nv/GLCache/ r,
/home/*/.nv/GLCache/** rwk,
/home/*/.pki/nssdb/* r,
/home/*/.pki/nssdb/*.db rwk,
/home/*/.pulse-cookie rwk,
/home/*/.thumbnails/normal/* r,
/home/*/.xsession-errors r,
/home/*/.config/ibus/bus/* r,
owner /home/*/Downloads/ r,
owner /home/*/Downloads/** rw,
owner /home/*/Public/ r,
owner /home/*/Public/** r,
/opt/google/chrome/** r,
/opt/google/chrome/*.so mr,
/opt/google/chrome/lib/*.so mr,
/opt/google/chrome/PepperFlash/libpepflashplayer.so mr,
/opt/google/chrome/chrome mrix,
/opt/google/chrome/chrome-sandbox rPx,
/opt/google/chrome/extensions/ rw,
/opt/google/chrome/google-chrome Px,
/opt/google/chrome/nacl_helper_bootstrap Px,
/opt/google/chrome/nacl_helper rix,
/opt/google/chrome/xdg-settings Cx,
/proc/ r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/fd/ r,
/proc/[0-9]*/io r,
/proc/[0-9]*/maps r,
/proc/[0-9]*/mounts r,
/proc/[0-9]*/oom_score_adj w,
/proc/[0-9]*/stat r,
/proc/[0-9]*/statm r,
/proc/[0-9]*/status r,
/proc/[0-9]*/task/ r,
/proc/[0-9]*/task/[0-9]*/stat r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/meminfo r,
/proc/sys/kernel/shmmax r,
/proc/sys/kernel/yama/ptrace_scope r,
/proc/sys/net/ipv4/tcp_fastopen r,
/proc/[0-9]*/setgroups w,
/proc/[0-9]*/uid_map w,
/proc/[0-9]*/gid_map w,
/run/resolvconf/resolv.conf r,
/run/shm/.com.google.Chrome.* rw,
/run/shm/com.google.Chrome.shmem.* rw,
/run/user/[0-9]*/dconf/user rw,
/run/dbus/system_bus_socket rw,
/selinux/ r,
/sys/bus/pci/devices/ r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/pci[0-9]*/**/idProduct r,
/sys/devices/pci[0-9]*/**/idVendor r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
/tmp/ r,
/tmp/* mrw,
/tmp/.com.google.Chrome.*/ rw,
/tmp/.com.google.Chrome.*/Singleton* w,
/tmp/CRX_75DAF8CB7768/ rw,
/tmp/CRX_75DAF8CB7768/* rw,
/tmp/icedteaplugin-*/ w,
/tmp/icedteaplugin-*/[0-9]*-icedteanp-* rw,
/tmp/scoped_dir_*/ rw,
/tmp/scoped_dir_*/.com.google.Chrome.* rw,
/tmp/scoped_dir_*/CRX_INSTALL/ rw,
/tmp/scoped_dir_*/CRX_INSTALL/** rw,
/tmp/scoped_dir*/DECODED* rw,
/tmp/scoped_dir_*/mccea*_[0-9]*.crx rw,
/usr/bin/gnome-mplayer Px,
/usr/bin/lsb_release Cxr,
/usr/bin/python2.7 r,
/usr/bin/xdg-open Cx,
/usr/bin/xdg-settings Cx,
/usr/include/python2.7/pyconfig.h r,
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so mr,
/usr/lib/mozilla/plugins/gecko-mediaplayer-*.so mr,
/usr/lib/mozilla/plugins/gecko-mediaplayer.so mr,
/usr/lib/totem/totem-plugin-viewer Px,
/usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr,
/usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr,
/usr/local/lib/python2.7/dist-packages/ r,
/usr/share/X11/XErrorDB r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/misc/pci.ids r,
/usr/share/pixmaps/ r,
/usr/share/pyshared/* r,
/usr/share/themes/** r,
/var/tmp/ r,
/var/tmp/* rw,
owner /{run,dev}/shm/pulse-shm* k,
/{run,dev}/shm/pulse-shm* rw,
/dev/shm/.com.google* rw,
profile /opt/google/chrome/xdg-settings {
/bin/dash r,
/bin/grep rix,
/bin/readlink rix,
/bin/sed rix,
/bin/which rix,
/dev/null w,
/etc/gnome/defaults.list r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/usr/share/applications/google-chrome.desktio r,
/home/*/.local/share/applications/ r,
/home/*/.local/share/applications/google-chrome.desktop r,
/home/*/.local/share/applications/mimeapps.list r,
/lib/x86_64-linux-gnu/ld-*.so r,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libselinux.so.* mr,
/opt/google/chrome/xdg-settings r,
/proc/*/maps r,
/proc/filesystems r,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/gawk rix,
/usr/bin/mawk rix,
/usr/bin/xdg-mime rix,
/usr/lib/libsigsegv.so.* mr,
/usr/lib/locale/** r,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
}
profile /usr/bin/lsb_release flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release rix,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/etc/dpkg/origins/debian r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-4]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-4] r,
/usr/bin/python2.7 r,
}
profile /usr/bin/xdg-open {
#include <abstractions/base>
/bin/dash r,
/etc/gnome/defaults.list r,
/etc/nsswitch.conf r,
/etc/passwd r,
/home/*/.local/share/applications/mimeapps.list r,
/home/*/.local/share/applications/mimeinfo.cache r,
/home/*/.local/share/mime/* r,
/proc/*/fd/ r,
/usr/bin/evince Px,
/usr/bin/gnome-open rix,
/usr/bin/gvfs-open rix,
/usr/bin/transmission-gtk Px,
/usr/bin/xdg-open r,
/usr/share/applications/*.desktop r,
/usr/share/applications/evince.desktop r,
/usr/share/applications/gimp.desktop r,
/usr/share/applications/mimeinfo.cache r,
/usr/share/mime/* r,
}
profile /usr/bin/xdg-settings {
/bin/cat rix,
/bin/dash r,
/bin/grep rix,
/bin/readlink rix,
/bin/sed rix,
/bin/which rix,
/usr/bin/tr rix,
/dev/null w,
/etc/gnome/defaults.list r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/usr/share/applications/google-chrome.desktop r,
/usr/share/locale-langpack/** r,
/home/*/.local/share/applications/google-chrome.desktop r,
/home/*/.local/share/applications/mimeapps.list r,
/home/*/.config/mimeapps.list r,
/lib/x86_64-linux-gnu/ld-*.so r,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libdbus-1.so.* mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libpcre.so.* mr,
/lib/x86_64-linux-gnu/libpthread-*.so mr,
/lib/x86_64-linux-gnu/libresolv-*.so mr,
/lib/x86_64-linux-gnu/librt-*.so mr,
/lib/x86_64-linux-gnu/libselinux.so.* mr,
/lib/x86_64-linux-gnu/libz.so.* mr,
/lib/x86_64-linux-gnu/libreadline.so.* mr,
/proc/[0-9]*/maps r,
/proc/filesystems r,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/head rix,
/usr/bin/gawk rix,
/usr/bin/gconftool-2 rix,
/usr/bin/mawk rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-settings r,
/usr/bin/kde4-config rix,
/usr/bin/ktraderclient rix,
/usr/bin/kreadconfig rix,
/usr/lib/libsigsegv.so.* mr,
/usr/lib/locale/** r,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
/usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
/usr/lib/x86_64-linux-gnu/libffi.so.* mr,
/usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
/usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
/usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
/usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
/usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
/usr/lib/x86_64-linux-gnu/libsigsegv.so.* mr,
/usr/lib/x86_64-linux-gnu/libreadline.so.* mr,
/usr/lib/x86_64-linux-gnu/libmpfr.so.* mr,
/usr/lib/x86_64-linux-gnu/libgmp.so.* mr,
/lib/x86_64-linux-gnu/libtinfo.so.* mr,
}
}
Raw
opt.google.chrome.chrome-sandbox
# Last Modified: Wed Oct 12 13:00:00 2016
# All credits to:
# https://github.com/detrout/apparmor-det/
# Helpful links:
# https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465
# http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
#include <tunables/global>
/opt/google/chrome/chrome-sandbox {
capability chown,
## capability dac_override,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
/etc/ld.so.cache r,
/lib/@{multiarch}/ld-*.so* mr,
/lib/x86_64-linux-gnu/libattr.so* mr,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libcap.so* mr,
/lib/x86_64-linux-gnu/libexpat.so* mr,
/lib/x86_64-linux-gnu/librt-*.so mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libglib-*.so* mr,
/lib/x86_64-linux-gnu/libgcc_s.so* mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libpcre.so* mr,
/lib/x86_64-linux-gnu/libpng*.so* mr,
/lib/x86_64-linux-gnu/libpthread-*.so mr,
/lib/x86_64-linux-gnu/libz.so* mr,
/usr/lib/x86_64-linux-gnu/libcairo.so* mr,
/usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
/usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
/usr/lib/x86_64-linux-gnu/libpixman-*.so* mr,
/usr/lib/x86_64-linux-gnu/libnss3.so mr,
/usr/lib/x86_64-linux-gnu/nss/*.so mr,
/usr/lib/x86_64-linux-gnu/libnssutil3.so mr,
/usr/lib/x86_64-linux-gnu/libnspr4.so mr,
/usr/lib/x86_64-linux-gnu/libplc4.so* mr,
/usr/lib/x86_64-linux-gnu/libplds*.so* mr,
/usr/lib/x86_64-linux-gnu/libsqlite3.so* mr,
/usr/lib/x86_64-linux-gnu/libstdc++.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
/usr/lib/x86_64-linux-gnu/libXau.so* mr,
/usr/lib/x86_64-linux-gnu/libXdmcp.so* mr,
/usr/lib/x86_64-linux-gnu/libXrender.so* mr,
/usr/lib/x86_64-linux-gnu/libXext.so* mr,
/usr/lib/x86_64-linux-gnu/libX11.so* mr,
/dev/urandom r,
/sys/devices/system/cpu/online r,
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
/proc/ r,
/proc/*/fd/ r,
/proc/cpuinfo r,
/proc/stat r,
owner /tmp/** rw,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/oom_adj w,
@{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/[0-9]*/task/ r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
# Transition to main chrome binary
/opt/google/chrome/chrome rPx,
/opt/google/chrome/chrome-sandbox r,
/opt/google/chrome/nacl_helper rix,
}
Raw
opt.google.chrome.google-chrome
# Last Modified: Wed Oct 12 13:00:00 2016
# All credits to:
# https://github.com/detrout/apparmor-det/
# Helpful links:
# https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465
# http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
#include <tunables/global>
/opt/google/chrome/google-chrome {
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash rix,
/bin/cat rix,
/bin/dash r,
/bin/grep rix,
/bin/mkdir rix,
/bin/readlink rix,
/bin/which rix,
/dev/tty rw,
/opt/google/chrome/chrome Px,
/opt/google/chrome/google-chrome r,
/proc/filesystems r,
/usr/bin/dirname rix,
/usr/bin/zenity rix,
}
Raw
opt.google.chrome.nacl_helper_bootstrap
# Last Modified: Wed Oct 12 13:00:00 2016
# All credits to:
# https://github.com/detrout/apparmor-det/
# Helpful links:
# https://bugs.dogfood.paddev.net/ubuntu/+source/libvirt/+bug/1386465
# http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
#include <tunables/global>
/opt/google/chrome/nacl_helper_bootstrap {
#include <abstractions/base>
/opt/google/chrome/nacl_helper mr,
/opt/google/chrome/nacl_helper_bootstrap mr,
/proc/cpuinfo r,
/proc/filesystems r,
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment