ls -la /etc/apparmor.d/ ls -la /etc/apparmor.d/disable/ ls -la /etc/apparmor.d/local/ sudo apparmor_status sudo rm /etc/apparmor.d/disable/usr.bin.firefox sudo apparmor_parser -a /etc/apparmor.d/usr.bin.firefox # sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/ # sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox sudo apt install apparmor-utils apparmor-profiles ls -la /usr/share/doc/apparmor-profiles/extras/
Пояснения
Для начала ознакомьтесь с вводным постом по AppArmor.AppArmor по умолчанию включен в Ubuntu.
В самом начале состояние каталогов AppArmor следующее:
$ ls -la /etc/apparmor.d/ total 144 drwxr-xr-x 8 root root 4096 Mar 17 01:24 . drwxr-xr-x 138 root root 12288 Mar 19 15:30 .. drwxr-xr-x 4 root root 4096 Mar 16 23:47 abstractions drwxr-xr-x 2 root root 4096 Mar 17 01:24 cache drwxr-xr-x 2 root root 4096 Feb 16 02:26 disable drwxr-xr-x 2 root root 4096 Apr 5 2016 force-complain -rw-r--r-- 1 root root 732 Aug 12 2016 lightdm-guest-session drwxr-xr-x 2 root root 4096 Feb 16 02:36 local -rw-r--r-- 1 root root 3310 Apr 13 2016 sbin.dhclient drwxr-xr-x 5 root root 4096 Feb 16 02:34 tunables -rw-r--r-- 1 root root 5995 Mar 9 2016 usr.bin.evince -rw-r--r-- 1 root root 6615 Feb 1 23:59 usr.bin.firefox -rw-r--r-- 1 root root 38551 Dec 21 01:04 usr.bin.webbrowser-app -rw-r--r-- 1 root root 14496 Jan 14 21:06 usr.lib.snapd.snap-confine -rw-r--r-- 1 root root 469 Feb 13 2016 usr.sbin.cups-browsed -rw-r--r-- 1 root root 5119 Mar 25 2016 usr.sbin.cupsd -rw-r--r-- 1 root root 546 Sep 19 2015 usr.sbin.ippusbxd -rw-r--r-- 1 root root 1527 Jan 5 2016 usr.sbin.rsyslogd -rw-r--r-- 1 root root 1455 Feb 21 18:58 usr.sbin.tcpdump $ ls -la /etc/apparmor.d/disable/ total 8 drwxr-xr-x 2 root root 4096 Feb 16 02:26 . drwxr-xr-x 8 root root 4096 Mar 17 01:24 .. lrwxrwxrwx 1 root root 31 Mar 16 23:30 usr.bin.firefox -> /etc/apparmor.d/usr.bin.firefox lrwxrwxrwx 1 root root 33 Mar 16 23:30 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd $ ls -la /etc/apparmor.d/local/ total 52 drwxr-xr-x 2 root root 4096 Feb 16 02:36 . drwxr-xr-x 8 root root 4096 Mar 17 01:24 .. -rw-r--r-- 1 root root 1111 Oct 13 20:07 README -rw-r--r-- 1 root root 120 Feb 16 02:20 sbin.dhclient -rw-r--r-- 1 root root 121 Feb 16 02:35 usr.bin.evince -rw-r--r-- 1 root root 122 Feb 16 02:36 usr.bin.firefox -rw-r--r-- 1 root root 129 Feb 16 02:36 usr.bin.webbrowser-app -rw-r--r-- 1 root root 133 Feb 16 02:34 usr.lib.snapd.snap-confine -rw-r--r-- 1 root root 128 Feb 16 02:35 usr.sbin.cups-browsed -rw-r--r-- 1 root root 121 Feb 16 02:32 usr.sbin.cupsd -rw-r--r-- 1 root root 124 Feb 16 02:36 usr.sbin.ippusbxd -rw-r--r-- 1 root root 124 Feb 16 02:20 usr.sbin.rsyslogd -rw-r--r-- 1 root root 123 Feb 16 02:34 usr.sbin.tcpdump
В самом начале статус AppArmor следующий:
$ sudo apparmor_status apparmor module is loaded. 22 profiles are loaded. 22 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /sbin/dhclient (1597) /usr/sbin/cups-browsed (1223) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
AppArmor поставляется с профилем для Firefox - это файл usr.bin.firefox, находящийся в каталоге /etc/apparmor.d. По умолчанию он не включен. Нужно включить вручную.
$ sudo rm /etc/apparmor.d/disable/usr.bin.firefox $ sudo apparmor_parser -a /etc/apparmor.d/usr.bin.firefox $ sudo apparmor_status apparmor module is loaded. 27 profiles are loaded. 27 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /sbin/dhclient (1597) /usr/sbin/cups-browsed (1223) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Профиль для Chromium нужно устанавливать отдельным пакетом.
$ sudo apt install apparmor-utils apparmor-profiles $ ls -la /usr/share/doc/apparmor-profiles/extras/ total 408 drwxr-xr-x 2 root root 4096 Mar 19 22:37 . drwxr-xr-x 3 root root 4096 Mar 19 22:37 .. -rw-r--r-- 1 root root 1177 Oct 13 20:07 bin.netstat -rw-r--r-- 1 root root 1252 Oct 13 20:07 etc.cron.daily.logrotate -rw-r--r-- 1 root root 948 Oct 13 20:07 etc.cron.daily.slocate.cron -rw-r--r-- 1 root root 722 Oct 13 20:07 etc.cron.daily.tmpwatch -rw-r--r-- 1 root root 1724 Oct 13 20:07 README -rw-r--r-- 1 root root 2571 Oct 13 20:07 sbin.dhclient -rw-r--r-- 1 root root 513 Oct 13 20:07 sbin.dhclient-script -rw-r--r-- 1 root root 1293 Oct 13 20:07 sbin.dhcpcd -rw-r--r-- 1 root root 675 Oct 13 20:07 sbin.portmap -rw-r--r-- 1 root root 866 Oct 13 20:07 sbin.resmgrd -rw-r--r-- 1 root root 482 Oct 13 20:07 sbin.rpc.lockd -rw-r--r-- 1 root root 1006 Oct 13 20:07 sbin.rpc.statd -rw-r--r-- 1 root root 1648 Oct 13 20:07 usr.bin.acroread -rw-r--r-- 1 root root 784 Oct 13 20:07 usr.bin.apropos -rw-r--r-- 1 root root 4574 Oct 13 20:07 usr.bin.evolution-2.10 -rw-r--r-- 1 root root 690 Oct 13 20:07 usr.bin.fam -rw-r--r-- 1 root root 743 Oct 13 20:07 usr.bin.freshclam -rw-r--r-- 1 root root 1919 Oct 13 20:07 usr.bin.gaim -rw-r--r-- 1 root root 649 Oct 13 20:07 usr.bin.man -rw-r--r-- 1 root root 611 Oct 13 20:07 usr.bin.mlmmj-bounce -rw-r--r-- 1 root root 1034 Oct 13 20:07 usr.bin.mlmmj-maintd -rw-r--r-- 1 root root 1089 Oct 13 20:07 usr.bin.mlmmj-make-ml.sh -rw-r--r-- 1 root root 877 Oct 13 20:07 usr.bin.mlmmj-process -rw-r--r-- 1 root root 580 Oct 13 20:07 usr.bin.mlmmj-recieve -rw-r--r-- 1 root root 759 Oct 13 20:07 usr.bin.mlmmj-send -rw-r--r-- 1 root root 814 Oct 13 20:07 usr.bin.mlmmj-sub -rw-r--r-- 1 root root 796 Oct 13 20:07 usr.bin.mlmmj-unsub -rw-r--r-- 1 root root 2013 Oct 13 20:07 usr.bin.opera -rw-r--r-- 1 root root 1044 Oct 13 20:07 usr.bin.passwd -rw-r--r-- 1 root root 1018 Oct 13 20:07 usr.bin.procmail -rw-r--r-- 1 root root 2491 Oct 13 20:07 usr.bin.skype -rw-r--r-- 1 root root 580 Oct 13 20:07 usr.bin.spamc -rw-r--r-- 1 root root 897 Oct 13 20:07 usr.bin.svnserve -rw-r--r-- 1 root root 1178 Oct 13 20:07 usr.bin.wireshark -rw-r--r-- 1 root root 670 Oct 13 20:07 usr.bin.xfs -rw-r--r-- 1 root root 1015 Oct 13 20:07 usr.lib64.GConf.2.gconfd-2 -rw-r--r-- 1 root root 857 Oct 13 20:07 usr.lib.bonobo.bonobo-activation-server -rw-r--r-- 1 root root 1251 Oct 13 20:07 usr.lib.evolution-data-server.evolution-data-server-1.10 -rw-r--r-- 1 root root 3757 Oct 13 20:07 usr.lib.firefox.firefox -rw-r--r-- 1 root root 386 Oct 13 20:07 usr.lib.firefox.firefox.sh -rw-r--r-- 1 root root 654 Oct 13 20:07 usr.lib.firefox.mozilla-xremote-client -rw-r--r-- 1 root root 1011 Oct 13 20:07 usr.lib.GConf.2.gconfd-2 -rw-r--r-- 1 root root 1600 Oct 13 20:07 usr.lib.man-db.man -rw-r--r-- 1 root root 880 Oct 13 20:07 usr.lib.postfix.anvil -rw-r--r-- 1 root root 2092 Oct 13 20:07 usr.lib.postfix.bounce -rw-r--r-- 1 root root 1260 Oct 13 20:07 usr.lib.postfix.cleanup -rw-r--r-- 1 root root 523 Oct 13 20:07 usr.lib.postfix.discard -rw-r--r-- 1 root root 617 Oct 13 20:07 usr.lib.postfix.error -rw-r--r-- 1 root root 1692 Oct 13 20:07 usr.lib.postfix.flush -rw-r--r-- 1 root root 615 Oct 13 20:07 usr.lib.postfix.lmtp -rw-r--r-- 1 root root 1830 Oct 13 20:07 usr.lib.postfix.local -rw-r--r-- 1 root root 1879 Oct 13 20:07 usr.lib.postfix.master -rw-r--r-- 1 root root 2434 Oct 13 20:07 usr.lib.postfix.nqmgr -rw-r--r-- 1 root root 598 Oct 13 20:07 usr.lib.postfix.oqmgr -rw-r--r-- 1 root root 850 Oct 13 20:07 usr.lib.postfix.pickup -rw-r--r-- 1 root root 490 Oct 13 20:07 usr.lib.postfix.pipe -rw-r--r-- 1 root root 700 Oct 13 20:07 usr.lib.postfix.proxymap -rw-r--r-- 1 root root 2455 Oct 13 20:07 usr.lib.postfix.qmgr -rw-r--r-- 1 root root 617 Oct 13 20:07 usr.lib.postfix.qmqpd -rw-r--r-- 1 root root 671 Oct 13 20:07 usr.lib.postfix.scache -rw-r--r-- 1 root root 2251 Oct 13 20:07 usr.lib.postfix.showq -rw-r--r-- 1 root root 1818 Oct 13 20:07 usr.lib.postfix.smtp -rw-r--r-- 1 root root 2099 Oct 13 20:07 usr.lib.postfix.smtpd -rw-r--r-- 1 root root 617 Oct 13 20:07 usr.lib.postfix.spawn -rw-r--r-- 1 root root 788 Oct 13 20:07 usr.lib.postfix.tlsmgr -rw-r--r-- 1 root root 895 Oct 13 20:07 usr.lib.postfix.trivial-rewrite -rw-r--r-- 1 root root 619 Oct 13 20:07 usr.lib.postfix.verify -rw-r--r-- 1 root root 779 Oct 13 20:07 usr.lib.postfix.virtual -rw-r--r-- 1 root root 1332 Oct 13 20:07 usr.lib.RealPlayer10.realplay -rw-r--r-- 1 root root 1067 Oct 13 20:07 usr.NX.bin.nxclient -rw-r--r-- 1 root root 950 Oct 13 20:07 usr.sbin.dhcpd -rw-r--r-- 1 root root 5910 Oct 13 20:07 usr.sbin.httpd2-prefork -rw-r--r-- 1 root root 798 Oct 13 20:07 usr.sbin.imapd -rw-r--r-- 1 root root 648 Oct 13 20:07 usr.sbin.in.fingerd -rw-r--r-- 1 root root 1278 Oct 13 20:07 usr.sbin.in.ftpd -rw-r--r-- 1 root root 586 Oct 13 20:07 usr.sbin.in.ntalkd -rw-r--r-- 1 root root 803 Oct 13 20:07 usr.sbin.ipop2d -rw-r--r-- 1 root root 803 Oct 13 20:07 usr.sbin.ipop3d -rw-r--r-- 1 root root 1675 Oct 13 20:07 usr.sbin.lighttpd -rw-r--r-- 1 root root 916 Oct 13 20:07 usr.sbin.nmbd -rw-r--r-- 1 root root 823 Oct 13 20:07 usr.sbin.oidentd -rw-r--r-- 1 root root 728 Oct 13 20:07 usr.sbin.popper -rw-r--r-- 1 root root 1322 Oct 13 20:07 usr.sbin.postalias -rw-r--r-- 1 root root 1008 Oct 13 20:07 usr.sbin.postdrop -rw-r--r-- 1 root root 821 Oct 13 20:07 usr.sbin.postmap -rw-r--r-- 1 root root 1125 Oct 13 20:07 usr.sbin.postqueue -rw-r--r-- 1 root root 3336 Oct 13 20:07 usr.sbin.sendmail -rw-r--r-- 1 root root 2052 Oct 13 20:07 usr.sbin.sendmail.postfix -rw-r--r-- 1 root root 1566 Oct 13 20:07 usr.sbin.sendmail.sendmail -rw-r--r-- 1 root root 1136 Oct 13 20:07 usr.sbin.smbd -rw-r--r-- 1 root root 1061 Oct 13 20:07 usr.sbin.spamd -rw-r--r-- 1 root root 1682 Oct 13 20:07 usr.sbin.squid -rw-r--r-- 1 root root 4197 Oct 13 20:07 usr.sbin.sshd -rw-r--r-- 1 root root 1473 Oct 13 20:07 usr.sbin.useradd -rw-r--r-- 1 root root 1330 Oct 13 20:07 usr.sbin.userdel -rw-r--r-- 1 root root 1242 Oct 13 20:07 usr.sbin.vsftpd -rw-r--r-- 1 root root 2409 Oct 13 20:07 usr.sbin.xinetd $ sudo apparmor_status apparmor module is loaded. 67 profiles are loaded. 30 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//sanitized_helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 37 profiles are in complain mode. /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox /usr/lib/chromium-browser/chromium-browser//lsb_release /usr/lib/chromium-browser/chromium-browser//xdgsettings /usr/lib/dovecot/anvil /usr/lib/dovecot/auth /usr/lib/dovecot/config /usr/lib/dovecot/deliver /usr/lib/dovecot/dict /usr/lib/dovecot/dovecot-auth /usr/lib/dovecot/dovecot-lda /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail /usr/lib/dovecot/imap /usr/lib/dovecot/imap-login /usr/lib/dovecot/lmtp /usr/lib/dovecot/log /usr/lib/dovecot/managesieve /usr/lib/dovecot/managesieve-login /usr/lib/dovecot/pop3 /usr/lib/dovecot/pop3-login /usr/lib/dovecot/ssl-params /usr/sbin/avahi-daemon /usr/sbin/dnsmasq /usr/sbin/dnsmasq//libvirt_leaseshelper /usr/sbin/dovecot /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nmbd /usr/sbin/nscd /usr/sbin/smbd /usr/sbin/smbldap-useradd /usr/sbin/smbldap-useradd///etc/init.d/nscd /usr/{sbin/traceroute,bin/traceroute.db} /{usr/,}bin/ping klogd syslog-ng syslogd 5 processes have profiles defined. 2 processes are in enforce mode. /sbin/dhclient (1597) /usr/sbin/cups-browsed (1223) 0 processes are in complain mode. 3 processes are unconfined but have a profile defined. /usr/sbin/avahi-daemon (1153) /usr/sbin/avahi-daemon (1208) /usr/sbin/dnsmasq (1607)
Рассмотрим профиль для Firefox расположенный по адресу /etc/apparmor.d/disable/usr.bin.firefox
# vim:syntax=apparmor # Author: Jamie Strandboge <jamie@canonical.com> # Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/usr/lib/firefox #include <tunables/global> # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> #include <abstractions/dconf> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/p11-kit> #include <abstractions/ubuntu-unity7-base> #include <abstractions/ubuntu-unity7-launcher> #include <abstractions/dbus-accessibility-strict> dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, dbus (send) bus=system path=/org/freedesktop/NetworkManager member=state, dbus (receive) bus=system path=/org/freedesktop/NetworkManager, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, owner /tmp/** m, owner /var/tmp/** m, owner /{,var/}run/shm/shmfd-* rw, owner /{dev,run}/shm/org.chromium.* rwk, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, # let the shell know we launched something dbus (send) bus=session interface=org.gtk.gio.DesktopAppInfo member=Launched, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # firefox specific /etc/firefox*/ r, /etc/firefox*/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/firefox-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, # TODO: investigate deny /usr/bin/gconftool-2 x, # These are needed when a new user starts firefox and firefox.sh is used @{MOZ_LIBDIR}/** ixr, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /sbin/killall5 ixr, /bin/which ixr, /usr/bin/tr ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, @{PROC}/sys/vm/overcommit_memory r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/platform/**/uevent r, /sys/devices/pci*/**/{busnum,idVendor,idProduct} r, owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # so browsing directories works / r, /**/ r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # per-user firefox configuration owner @{HOME}/.{firefox,mozilla}/ rw, owner @{HOME}/.{firefox,mozilla}/** rw, owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/plugins/** rm, owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, owner @{HOME}/.gnome2/firefox* rwk, owner @{HOME}/.cache/mozilla/{,firefox/} rw, owner @{HOME}/.cache/mozilla/firefox/** rw, owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/dconf/user w, owner /{,var/}run/user/*/dconf/user w, dbus (send) bus=session path=/org/gnome/GConf/Server member=GetDefaultDatabase, dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, # Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr, /usr/bin/lsb_release Cxr -> lsb_release, profile lsb_release { #include <abstractions/base> #include <abstractions/python> /usr/bin/lsb_release r, /bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2.[4567]/pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-4]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-4] r, # file_inherit deny /tmp/gtalkplugin.log w, } # Addons #include <abstractions/ubuntu-browsers.d/firefox> # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.firefox> }
Как видим в конце подключается файл /etc/apparmor.d/local/usr.bin.firefox, он предназначен для пользовательской донастройки. Его можно редактировать при необходимости.
Профиль для Chromium /etc/apparmor.d/usr.bin.chromium-browser
# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> # We need 'flags=(attach_disconnected)' in newer chromium versions /usr/lib/chromium-browser/chromium-browser flags=(complain,attach_disconnected) { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-session> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/user-tmp> # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if # you want access to productivity applications, adjust the following file # accordingly. #include <abstractions/ubuntu-browsers.d/chromium-browser> # Networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, # Should maybe be in abstractions /etc/mime.types r, /etc/mailcap r, /etc/mtab r, /etc/xdg/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, @{PROC}/[0-9]*/fd/ r, @{PROC}/filesystems r, @{PROC}/ r, @{PROC}/[0-9]*/task/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/io r, @{PROC}/[0-9]*/smaps r, owner @{PROC}/[0-9]*/stat r, @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/status r, deny @{PROC}/[0-9]*/oom_{,score_}adj w, @{PROC}/sys/kernel/yama/ptrace_scope r, # Newer chromium needs these now /etc/udev/udev.conf r, /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, /sys/devices/pci[0-9]*/**/class r, /sys/devices/pci[0-9]*/**/device r, /sys/devices/pci[0-9]*/**/irq r, /sys/devices/pci[0-9]*/**/resource r, /sys/devices/pci[0-9]*/**/vendor r, /sys/devices/pci[0-9]*/**/removable r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/pci[0-9]*/**/block/**/size r, /sys/devices/virtual/block/**/removable r, /sys/devices/virtual/block/**/uevent r, /sys/devices/virtual/block/**/size r, # This is requested, but doesn't seem to actually be needed so deny for now deny /run/udev/data/** r, # Needed for the crash reporter owner @{PROC}/[0-9]*/auxv r, # chromium mmaps all kinds of things for speed. /etc/passwd m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/fonts/**/*.pfb m, /usr/share/mime/mime.cache m, /usr/share/icons/**/*.cache m, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/.local/share/mime/mime.cache m, owner /tmp/** m, @{PROC}/sys/kernel/shmmax r, owner /{dev,run}/shm/{,.}org.chromium.* mrw, owner /{,var/}run/shm/shmfd-* mrw, /usr/lib/chromium-browser/*.pak mr, /usr/lib/chromium-browser/locales/* mr, # Noisy deny /usr/lib/chromium-browser/** w, # Allow ptracing ourselves ptrace (trace) peer=@{profile_name}, # Make browsing directories work / r, /**/ r, # Allow access to documentation and other files the user may want to look # at in /usr /usr/{include,share,src}** r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # For migration owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.mozilla/firefox/*/prefs.js r, # Helpers /usr/bin/xdg-open ixr, /usr/bin/gnome-open ixr, /usr/bin/gvfs-open ixr, /usr/bin/kdialog ixr, # TODO: xfce # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** # which is provided by abstractions/ubuntu-browsers.d/user-files). /etc/firefox/profile/bookmarks.html r, owner @{HOME}/.mozilla/** k, # Chromium Policies /etc/chromium-browser/policies/** r, # Chromium configuration owner @{HOME}/.pki/nssdb/* rwk, owner @{HOME}/.cache/chromium/ rw, owner @{HOME}/.cache/chromium/** rw, owner @{HOME}/.cache/chromium/Cache/* mr, owner @{HOME}/.config/chromium/ rw, owner @{HOME}/.config/chromium/** rwk, owner @{HOME}/.config/chromium/**/Cache/* mr, owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, # Allow transitions to ourself and our sandbox /usr/lib/chromium-browser/chromium-browser ix, /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, # Allow communicating with sandbox unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), /bin/ps Uxr, /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, /usr/bin/xdg-settings Cxr -> xdgsettings, /usr/bin/lsb_release Cxr -> lsb_release, # GSettings owner /{,var/}run/user/*/dconf/ rw, owner /{,var/}run/user/*/dconf/user rw, owner @{HOME}/.config/dconf/user r, profile xdgsettings flags=(complain) { #include <abstractions/bash> #include <abstractions/gnome> /bin/dash ixr, /etc/ld.so.cache r, /usr/bin/xdg-settings r, /usr/lib/chromium-browser/xdg-settings r, /usr/share/applications/*.desktop r, # Checking default browser /bin/grep ixr, /bin/readlink ixr, /bin/sed ixr, /bin/which ixr, /usr/bin/basename ixr, /usr/bin/cut ixr, # Setting the default browser /bin/mkdir ixr, /bin/mv ixr, /bin/touch ixr, /usr/bin/dirname ixr, /usr/bin/gconftool-2 ix, /usr/bin/[gm]awk ixr, /usr/bin/xdg-mime ixr, owner @{HOME}/.local/share/applications/ w, owner @{HOME}/.local/share/applications/mimeapps.list* rw, } profile lsb_release flags=(complain) { #include <abstractions/base> #include <abstractions/python> /usr/bin/lsb_release r, /bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2.[4567]/pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-4]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-4] r, } # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.chromium-browser> profile chromium_browser_sandbox flags=(complain) { # Be fanatical since it is setuid root and don't use an abstraction /lib/libgcc_s.so* mr, /lib/@{multiarch}/libgcc_s.so* mr, /lib{,32,64}/libm-*.so* mr, /lib/@{multiarch}/libm-*.so* mr, /lib{,32,64}/libpthread-*.so* mr, /lib/@{multiarch}/libpthread-*.so* mr, /lib{,32,64}/libc-*.so* mr, /lib/@{multiarch}/libc-*.so* mr, /lib{,32,64}/libld-*.so* mr, /lib/@{multiarch}/libld-*.so* mr, /lib{,32,64}/ld-*.so* mr, /lib/@{multiarch}/ld-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, /usr/lib/libstdc++.so* mr, /usr/lib/@{multiarch}/libstdc++.so* mr, /etc/ld.so.cache r, # Required for dropping into PID namespace. Keep in mind that until the # process drops this capability it can escape confinement, but once it # drops CAP_SYS_ADMIN we are ok. capability sys_admin, # All of these are for sanely dropping from root and chrooting capability chown, capability fsetid, capability setgid, capability setuid, capability dac_override, capability sys_chroot, capability sys_ptrace, ptrace (read, readby), signal (receive) peer=unconfined, signal peer=@{profile_name}, signal (receive, send) set=("exists"), signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), unix (create), unix peer=(label=@{profile_name}), unix (getattr, getopt, setopt, shutdown) addr=none, @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, deny @{PROC}/[0-9]*/oom_adj w, deny @{PROC}/[0-9]*/oom_score_adj w, @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/task/[0-9]*/stat r, /usr/bin/chromium-browser r, /usr/lib/chromium-browser/chromium-browser Px, /usr/lib/chromium-browser/chromium-browser-sandbox r, /usr/lib/chromium-browser/chrome-sandbox r, /dev/null rw, owner /tmp/** rw, } }
--
http://forums.opera.com/discussion/1865087/no-suid-sandbox/p1
