Anyone using Apparmor?

Native Client Helper

Chrome Sandbox

Chrome

 

Wow! Maybe mine's overly simple...

Code:

# Last Modified: Sun Sep 16 22:15:41 2012
#include <tunables/global>

/opt/google/chrome/google-chrome {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/ubuntu-konsole>
  #include <abstractions/user-tmp>
  #include <abstractions/user-write>

  capability dac_override,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_chroot,
  #capability sys_ptrace,


  /bin/bash ix,
  /bin/dash rix,
  /bin/grep rix,
  /bin/mkdir rix,
  /bin/readlink rix,
  /bin/sed rix,
  /bin/which rix,
  /dev/ r,
  /etc/.java/ w,
  /etc/debian_version r,
  /etc/lsb-release r,
  /etc/python2.7/sitecustomize.py r,
  /etc/timezone r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.cache/google-chrome/Default/Cache/* rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/google-chrome/.com.google.Chrome.* rw,
  "/home/*/.config/google-chrome/Certificate Revocation Lists" w,
  /home/*/.config/google-chrome/Default/ r,
  /home/*/.config/google-chrome/Default/* rwk,
  "/home/*/.config/google-chrome/Default/Extension State/" rw,
  "/home/*/.config/google-chrome/Default/Extension State/*" rw,
  /home/*/.config/google-chrome/Default/Extensions/ r,
  /home/*/.config/google-chrome/Default/Extensions/** rw,
  "/home/*/.config/google-chrome/Default/Local Storage/" r,
  "/home/*/.config/google-chrome/Default/Local Storage/*" k,
  "/home/*/.config/google-chrome/Default/Local Storage/chrome-extension_*" rwk,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/CacheWritableAdobeRoot/AssetCache/" r,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/CacheWritableAdobeRoot/AssetCache/*/" w,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#SharedObjects/" r,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#SharedObjects/**" rw,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/macromedia.com/support/flashplayer/sys/ settings.*" rw,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/macromedia.com/support/flashplayer/sys/settings.sol" rw,
  "/home/*/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/macromedia.com/support/flashplayer/sys/settings.sxx" w,
  "/home/*/.config/google-chrome/Default/User StyleSheets/Custom.css" r,
  "/home/*/.config/google-chrome/Default/Visited Links" rw,
  /home/*/.config/google-chrome/Default/databases/ r,
  /home/*/.config/google-chrome/Default/databases/Databases.db rwk,
  /home/*/.config/google-chrome/Default/databases/Databases.db* rk,
  /home/*/.config/google-chrome/Default/databases/chrome-extension_* rwk,
  /home/*/.config/google-chrome/Default/databases/chrome-extension_*_0/1* rwk,
  /home/*/.config/google-chrome/Dictionaries/en-GB* rw,
  "/home/*/.config/google-chrome/Local State" rw,
  "/home/*/.config/google-chrome/Safe Browsing*" rwk,
  "/home/*/.config/google-chrome/Service State" r,
  /home/*/.config/google-chrome/Singleton* w,
  /home/*/.config/google-chrome/chrome_shutdown_ms.txt rw,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.java/deployment/CacheUpgrade.properties r,
  /home/*/.java/deployment/cache/6.0/** rwk,
  /home/*/.java/deployment/deployment.properties rwk,
  /home/*/.local/share/mime/mime.cache r,
  /home/*/.mozilla/firefox/*.default/.parentlock wk,
  /home/*/.mozilla/firefox/*.default/compatibility.ini r,
  /home/*/.mozilla/firefox/profiles.ini r,
  /home/*/.pki/nssdb/* rwk,
  /home/*/Downloads/* rw,
  /home/*/Downloads/*.crx rw,
  /home/*/Downloads/.com.google.Chrome.* w,
  /home/*/.java/fonts/** rw,
  /opt/google/chrome/* r,
  /opt/google/chrome/PepperFlash/libpepflashplayer.so mr,
  /opt/google/chrome/chrome rix,
  /opt/google/chrome/chrome-sandbox rix,
  /opt/google/chrome/chrome.pak r,
  /opt/google/chrome/default_apps/ r,
  /opt/google/chrome/default_apps/external_extensions.json r,
  /opt/google/chrome/extensions/ w,
  /opt/google/chrome/google-chrome rix,
  /opt/google/chrome/lib*.so mr,
  /opt/google/chrome/locales/en-GB.pak r,
  /opt/google/chrome/nacl_helper mr,
  /opt/google/chrome/nacl_helper_bootstrap rix,
  /proc/ r,
  /proc/*/ r,
  /proc/*/coredump_filter rw,
  /proc/*/fd/ r,
  /proc/*/io r,
  /proc/*/maps r,
  /proc/*/net/* r,
  /proc/*/oom_score_adj w,
  /proc/*/stat* r,
  /proc/*/task/ r,
  /proc/*/task/*/stat r,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /proc/meminfo r,
  /proc/sys/kernel/shmmax r,
  /run/shm/.com.google.Chrome* rw,
  /run/shm/com.google.Chrome* rw,
  /selinux/ r,
  /sys/bus/pci/devices/ r,
  /sys/devices/pci0000:00/0000:00:*/** r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,
  owner /tmp/** lk,
  /tmp/** rw,
  /usr/bin/basename rix,
  /usr/bin/cut rix,
  /usr/bin/dirname rix,
  /usr/bin/gvfs-open rix,
  /usr/bin/lsb_release rix,
  /usr/bin/mawk rix,
  /usr/bin/xdg-* rix,
  /usr/include/python2.7/pyconfig.h r,
  /usr/lib/jvm/java-{7,8,9}-oracle/jre/bin/java rix,
  /usr/lib{,32,64}/** mr,
  /usr/local/lib/python2.7/dist-packages/ r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/misc/pci.ids r,
  /usr/share/pyshared/* r,
  owner /var/tmp/** lk,
  /var/tmp/** rw,

}

I guess a lot depends on what's included in the abstractions profiles. I threw in some abstractions that probably aren't needed, but I just wanted to simplify the process of building the profile. I confess there was some guesswork on my part as well Still, yours is obviously far more granular than mine. Are you using the stable release of Chrome? That's what I'm using. Initially I was using the Developer version, then I uninstalled it along with the profile, installed the stable, then re-built the profile.

 

I would rewrite yours, seems pretty loose. All of those capabilities can be dangerous. Strict file access though and that's always important.

Mine isn't working right now. I might start over, I'm having some weird issues.

I use Chrome Beta.

I would suggest you sandbox the chrome-sandbox and then work from there.

 

I see your profile includes the same capabilities, though, and then some??

I may just have another go at it, however, both for interest sake and to see if I can tighten it down a bit more. Maybe my use of wildcards is too liberal but I didn't want an overwhelmingly large profile. The executable masks confuse me the most as to what to set them at. When I use aa-genprof and scan after I put the program through its paces, it gives me options such as Child, Inherit and Profile. I usually just choose inherit because it seems to always work and then from what I understand it's more secure than Px or Ux. I still have some figuring out to do on Apparmor because as it stands now I don't yet have close to a thorough understanding of how to properly build profiles, other than just going off the aa-genprof scan suggestions.

 

The sandbox profile contains those capabilities but the other profile doesn't.

So an exploit in the sandbox process could do those things but an exploit in the other processes would not be able to.

Reducing file access is really important. Especially to areas of /proc/ and whatnot.

Chrome obviously needs very little help to be secure on Linux what with the sandbox but it's nice to have something on top of it all.

It's more secure than Ux but not Px.

Inherit means it runs with the same rights as your parent profile. If Chrome opens Deluge as Ix Deluge can only access what Chrome can access.

If you separate Deluge into it's own profile (Px) it'll only have access to what it needs - this is ideal.

For something like 'which' or 'wget' it's fine to use Ix because Chrome is using it to modify its own files. Ix is perfect for this.

Cx is good for when you need to open another process that'll access files outside of the Chrome profile but that you don't want to profile separately.

It takes some time to get used to it.

I would suggest you have a look at PaX and Grsecurity too. I'd say it's like EMET on steroids but that doesn't even give it enough credit.

 

Way over my head guys, it would nice if you could make a guide or a blog on terminal commands.

 

Well, there are a lot of sources for that.

There are, e.g, the man pages on http://manpages.ubuntu.com/manpages/precise/en/man7/apparmor.7.html and http://manpages.ubuntu.com/manpages/precise/en/man5/apparmor.d.5.html.

You'll get more infos on http://wiki.apparmor.net/index.php/Documentation. A very detailed documentation is http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference

Another good source is http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/part.apparmor.html

 

More infos on http://doc.opensuse.org/documentati...rmor.profiles.html#sec.apparmor.profiles.exec AND http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules

 

Thanks tlu, i'll check those out

@HM, I'll take aa for another spin profiling Chrome again, just to see if I can't restrict it some more without breaking its functionailty. Thanks!

 

https://insanitybit.wordpress.com/2012/05/29/apparmor-how-to/

I wrote a quick guide a while ago.

 

OK, I switched from Chromium to Chrome on 12.04. I created a profile from scratch for both Chrome and the sandbox. I was as restrictive as I could be. Yes, I did use some abstractions, but I checked each one to make sure there was nothing superfluous (also checked to make sure there were no Ux, etc.).

Here's the Chrome profile:

Code:

# Last Modified: Wed Sep 19 08:49:42 2012
#include <tunables/global>

/opt/google/chrome/chrome {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/ubuntu-browsers.d/java>
  #include <abstractions/user-tmp>

  # For networking.  Decided not to use abstractions here.  
  network inet stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/resolv.conf r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # Python stuff
  /etc/python2.7/sitecustomize.py r,
  /usr/include/python2.7/ r,
  /usr/include/python2.7/** r,
  /usr/local/lib/python2.7/ r,
  /usr/local/lib/python2.7/** r,
  /usr/share/pyshared/ r,
  /usr/share/pyshared/** r,

  /opt/google/chrome/ r,
  /opt/google/chrome/** m,
  /opt/google/chrome/** rwkl,

  /dev/ r,
  /dev/nvidiactl rw,
  /dev/nvidia0 rw,
  /etc/debian_version r,
  /etc/group r,  
  /etc/lsb-release r,
  /etc/gai.conf r,
  /etc/mtab r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/passwd r,
  /etc/xdg/xubuntu/applications/defaults.list r,
  /run/shm/*.google** rw,
  /selinux/ r,
  /var/lib/dbus/machine-id r,

  owner @{HOME}/.config/google-chrome/Default/Shortcuts rwk,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.config/ibus/bus/ rw,
  owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
  owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,


  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/*/oom_score_adj rw,
  @{PROC}/sys/kernel/shmmax r,
  @{PROC}/*/task/ r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/status r,
  

  # Newer chromium needs these now
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
  /sys/bus/pci/devices/ r,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,

  /bin/dash ixr,
  /usr/bin/lsb_release ixr,
  /usr/bin/xdg-open ixr,
  /usr/bin/gnome-open ixr,
  /usr/bin/gvfs-open ixr,

  owner @{HOME}/.pki/nssdb/* rwk,

  # Libraries Chrome needs
  /usr/lib/x86_64-linux-gnu/pango/*/modules/*.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr,

  # For themes
  /usr/share/misc/ r,
  /usr/share/misc/** r,
  /usr/share/glib-2.0/schemas/ r,
  /usr/share/glib-2.0/schemas/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,

   # Allow transitions to ourself and our sandbox
  /opt/google/chrome/chrome-sandbox Pxr,
  /opt/google/chrome/google-chrome ixr,
  /opt/google/chrome/chrome ixr,
  /opt/google/chrome/nacl_helper_bootstrap ixr,

  /usr/bin/xdg-settings Px,
  
}

Here's the sandbox profile (I made a separate profile for it). With this profile, I actually copied the original Chromium profile that comes with Ubuntu and added a line here and there. The default profile in Ubuntu was always pretty restrictive (for the sandbox at least):

Code:

# Last Modified: Wed Sep 19 08:34:21 2012
#include <tunables/global>

/opt/google/chrome/chrome-sandbox {
  # Be fanatical since it is setuid root and don't use an abstraction
    /lib/libgcc_s.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /usr/lib/libstdc++.so* mr,
    /etc/ld.so.cache r,

    # Required for dropping into PID namespace. Keep in mind that until the
    # process drops this capability it can escape confinement, but once it
    # drops CAP_SYS_ADMIN we are ok.
    capability sys_admin,

    # All of these are for sanely dropping from root and chrooting
    capability chown,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability dac_override,
    capability sys_chroot,

    # *Sigh*
    capability sys_ptrace,

    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,

    /opt/google/chrome r,
    /opt/google/chrome/chrome Px,
    /opt/google/chrome/chrome-sandbox r,

    owner /tmp/** rw,
}

Also I made a profile for /usr/bin/xdg-settings. You will need this for the profile to work correctly. It is below:

Code:

# Last Modified: Wed Sep 19 08:51:52 2012
#include <tunables/global>

/usr/bin/xdg-settings {
  #include <abstractions/base>



  /bin/dash rix,
  /bin/grep rix,
  /bin/readlink rix,
  /bin/sed rix,
  /bin/which rix,
  /home/*/.local/share/applications/* r,
  /proc/*/maps r,
  /proc/filesystems r,
  /usr/bin/basename rix,
  /usr/bin/cut rix,
  /usr/bin/gawk rix,
  /usr/bin/gconftool-2 rix,
  /usr/bin/xdg-mime rix,
  /usr/bin/xdg-settings r,

}

So, you will have three files in /etc/apparmor.d:

1) opt.google.chrome.chrome
2) opt.google.chrome.chrome-sandbox
3) usr.bin.xdg-settings

Try it out and let me know how it goes.

TO DO: I am going to try and make more sub-profiles for things like /bin/which, /bin/grep, /bin/sed, /bin/dash, /gnome-open, etc..

 

For things like which and grep and sed and dash etc it makes more sense to do child profiles.

Becaues Chrome might just use grep to pull in a single file to a single location. But a full grep profile would likely need access to a lot more than that, so a child profile woudl be tighter.

edit: Finished up the Chrome profile - no more abstractions. Removed access to a lot of libraries.

 

I tried /bin/dash, got this message:

So I guess that is a no-go. I will try others and see if the same warnings occur.

 

Here's a question for you apparmor experts: how do you know what type executable qualifier to use for a given executable path when you're generating rules? In a few cases I changed ix to Px but it ended up breaking the desired action, so of course I had to revert to ix. Do you just choose the most restrictive qualifier then "downgrade' to something more liberal if it doesn't break, or do you know what to choose? aa-genprof offers several choices but in most cases I'm completely guessing which one to choose. I always get a warning something to the effect of: some require "LD_PRELOAD" or "LD_LIBRARY_PATH" if I choose Px

Also, I can't help but notice "different folks =different strokes" when I compare Hungry Man's Chrome profile to chronomatic's. They are so completely different! Who's right and who's wrong?? Or do both of you have a solid profile with just a different approach?

 

It's a case by case basis.

For example... I have Java run with a separate profile because I know that when Chrome launches Java Java will need to access files besides what Chrome uses.

But I have an inherit (ix) flag for /bin/which because Chrome is going to use /bin/which on its own files - it needs no new rights.

I use Child when I need to give the new process new rights but when I don't want that process to *always* run in a profile, only when launched by Chrome.

This has to do with sanitizing. You won't always get this warning.

Our sandbox profile is the same.

I also removed all abstractions and I avoided variables wherever I could.

I'd say mine is more secure but I wouldn't say his is insecure by any means, both profiles avoid any Ux or writing to dangerous places.

It's all a matter of understanding what each action does and after that things get a lot simpler.

 

Thanks for the links tlu, still way over my head. I'll read up on it though.1111

 

Always use "ix" unless you have a separate profile for that process. In that case you can use Px. If you select Px when there is no profile defined, apparmor will begin writing a profile for that process.

Some apps may not work with "ix" which is why you sometimes see Ux. Instead of using Ux, you should take the time to write a separate profile for that process. Then you can use Px.

It will vary slightly based on which version of Chrome and what exactly you use Chrome for. I use abstractions, HM doesn't. However, the abstractions I use have all been checked for weaknesses and I haven't found any. I try to stay away from "base" and a few others, but some of the abstractions are fine to use. For instance, "fonts" and "dbus-session" and "gnome" are fine to use. I have checked them and they are pretty restrictive and have no "Ux" entries.

But all in all, I feel my Chrome profile is pretty restrictive.

 

Thank you so much for the help, HM and chronomatic! That helps clear things up, especially re the Px leading to a separate profile. HM had mentoioned something along those lines several posts back when he advised I use Px then create a separate profile for Java, but I coinfess I didn't fully understand at the time.

 

Having Chrome open Java in a separate profile is useful. If you use ix you effectively combine your Java and Chrome profiles. That's why its good to separate them.

I posted the Java and Chrome profiles on my blog for reference.

My profile won't work for everyone. I don't use chrome to print - it needs access to new libraries that I haven't allowed.

But by blocking access to those libraries and others I've reduced the visible attack surface a lot.

That + the multitude of security enhancements in PaX and Grsecurity means Chrome is just not a viable process to attack.

I would suggest you look at grsecurity if you're interested in taking your security setup as far as it can go.

 

I compiled a Grsec kernel for 12.04 and while it will boot, I cannot install the nvidia graphics drivers, so I gave up.

 

Yeah the GPU drivers can be the biggest issue. I use the open source ones. I've got it working well with the open source ATI drivers. The closed source ones work too but you have to disable one of the PaX features.

 

Since I use nVidia gpus I better hold off on GRsecurity at least for now.

 

There's probably a specific grsecurity feature that doesn't work with it. You could always just stick to safe ones like chroot hardening and restrictions. Just stay away from PaX features.

 

Another apparmor profile combined with an apparmor sandbox profile for your perusal.

http://www.broadbandreports.com/forum/r27540036-Most-Secure-General-Browser-On-the-Planet

 

I wrote that. I am KodiacZiller on BBR.com.