From b29f9675ebb9967dad64d9949d5fd9a4a01f1ace Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:08:15 +0100 Subject: [PATCH] feat(profiles): browser - add child-open integration & cleanup. --- apparmor.d/groups/browsers/brave | 165 +++++++----------- apparmor.d/groups/browsers/brave-browser | 13 +- apparmor.d/groups/browsers/chromium-chromium | 26 +-- apparmor.d/groups/browsers/firefox | 60 +------ .../groups/browsers/google-chrome-chrome | 129 +++++--------- apparmor.d/groups/browsers/opera | 123 +++++-------- 6 files changed, 159 insertions(+), 357 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 100dfc9ca..7eecfb995 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,19 +14,19 @@ include @{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev} profile brave @{exec_path} { include + include + include include include - include - include - include - include include + include + include + include include - include - include include + include include - include + include capability sys_ptrace, @@ -40,44 +41,41 @@ profile brave @{exec_path} { @{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr, # When installing/removing extensions - /{usr/,}bin/basename rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cat rix, /{usr/,}bin/{,e}grep rix, - - /etc/opt/chrome/ r, - deny /etc/opt/chrome/ w, - - # For "brave --help" - /{usr/,}bin/man rPUx, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/touch rix, # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - - # no new privs - #deny /{usr/,}bin/xdg-desktop-menu rx, - - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/man rPUx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /{usr/,}bin/xdg-mime rPx, /usr/share/chromium/extensions/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + /etc/opt/chrome/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{HOME}/ r, owner @{user_config_dirs}/BraveSoftware/ w, owner @{BRAVE_HOMEDIR}/ rw, owner @{BRAVE_HOMEDIR}/** rwk, - # For Widevine plugin owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw, - # Cache files owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/BraveSoftware/ rw, owner @{BRAVE_CACHEDIR}/{,**/} rw, @@ -85,43 +83,36 @@ profile brave @{exec_path} { owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw, owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw, - # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Firefox + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + + owner /tmp/net-export/ rw, # For brave://net-export/ - # Needed or Brave crash with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, deny @{PROC}/stat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, @@ -130,63 +121,27 @@ profile brave @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/clear_refs w, @{PROC}/sys/fs/inotify/max_user_watches r, - deny @{PROC}filesystems r, + deny @{PROC}/filesystems r, - owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw, + @{run}/udev/data/* r, + + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/bus/usb/[0-9]*/[0-9]* rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - @{sys}/devices/virtual/tty/tty[0-9]/active r, - @{sys}/devices/system/cpu/online r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. - @{sys}/devices/pci[0-9]*/**/irq r, - - @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - - # For brave://net-export/ - owner /tmp/net-export/ rw, - # Silencer deny @{BRAVE_INSTALLDIR}/** w, - - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + deny /etc/opt/chrome/ w, include if exists } diff --git a/apparmor.d/groups/browsers/brave-browser b/apparmor.d/groups/browsers/brave-browser index 9e544d35a..3faaaf3a5 100644 --- a/apparmor.d/groups/browsers/brave-browser +++ b/apparmor.d/groups/browsers/brave-browser @@ -1,23 +1,24 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} -@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} - abi , include +@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} +@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} + @{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} profile brave-browser @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/readlink rix, /{usr/,}bin/dirname rix, /{usr/,}bin/which{,.debianutils} rix, @@ -26,7 +27,7 @@ profile brave-browser @{exec_path} { @{BRAVE_INSTALLDIR}/brave rPx, - owner @{PROC}/@{pid}/fd/63 w, + owner @{PROC}/@{pid}/fd/ w, include if exists } diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index b0ca98a50..4f7e8a67a 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -63,7 +63,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-email rPx, /{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /usr/share/chromium/{,**} r, @@ -164,29 +164,5 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { deny /{usr/,}lib/chromium/** w, deny @{user_share_dirs}/gvfs-metadata/* r, - profile open { - include - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - # Allowed apps to open - /{usr/,}bin/smplayer rPx, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 2ae6c0533..23958f420 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -147,22 +147,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, # Allowed apps to open - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/exo-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/okular rPx, - /{usr/,}bin/qbittorrent rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/telegram-desktop rPx, - /{usr/,}bin/thunderbird rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/xarchiver rPx, - /{usr/,}bin/evince rPx, + /{usr/,}bin/exo-open rPx -> child-open, + /{usr/,}bin/xdg-open rPx -> child-open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, @@ -280,45 +268,5 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny owner @{HOME}/.* r, deny /tmp/MozillaUpdateLock-* w, - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - /{usr/,}bin/exo-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/evince rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/okular rPx, - /{usr/,}bin/qbittorrent rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/telegram-desktop rPx, - /{usr/,}bin/thunderbird rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/xarchiver rPx, - /{usr/,}bin/evince rPx, - /usr/share/xfce4/exo/exo-compose-mail rPx, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index f94d60d67..229d4b32d 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,18 +14,18 @@ include @{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable} profile google-chrome-chrome @{exec_path} { include - include - include - include - include - include - include include - include - include - include - include include + include + include + include + include + include + include + include + include + include + include ptrace (trace) peer=@{profile_name}, @@ -44,23 +45,28 @@ profile google-chrome-chrome @{exec_path} { @{CHROME_INSTALLDIR}/nacl_helper rix, @{CHROME_INSTALLDIR}/xdg-mime rix, @{CHROME_INSTALLDIR}/xdg-settings rix, + @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, + @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, # For "google-chrome --help" /{usr/,}bin/man rPUx, # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - - # no new privs - deny /{usr/,}bin/xdg-desktop-menu rx, - deny /{usr/,}bin/xdg-icon-resource rx, - + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + # Google Chrome home files owner @{HOME}/ r, owner @{CHROME_HOMEDIR}/ rw, @@ -68,50 +74,38 @@ profile google-chrome-chrome @{exec_path} { owner @{user_share_dirs}/.com.google.Chrome.* rw, - # Cache files owner @{user_cache_dirs}/ rw, owner @{CHROME_CACHEDIR}/{,**/} rw, owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw, owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw, owner @{CHROME_CACHEDIR}/*/**/todelete_* rw, - - # To remove browser history/cache owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw, owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw, # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Needed or Google Chrome crash with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, @@ -123,56 +117,21 @@ profile google-chrome-chrome @{exec_path} { owner @{PROC}/@{pid}/mounts r, deny @{PROC}/diskstats r, - # To play DRM media (protected content) - @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, - @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, + @{run}/udev/data/* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration @{sys}/bus/ r, @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, # Silencer deny @{CHROME_INSTALLDIR}/** w, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 4d9c45e5c..b793e5027 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,20 +14,20 @@ include @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} profile opera @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include + include + include + include + include + include + include include + include include include - include + include + include ptrace (trace) peer=@{profile_name}, @@ -41,25 +42,32 @@ profile opera @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}bin/which{,.debianutils} rix, @{OPERA_INSTALLDIR}/opera_sandbox rPx, @{OPERA_INSTALLDIR}/opera_crashreporter rPx, @{OPERA_INSTALLDIR}/opera_autoupdate krix, + /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, + /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /{usr/,}bin/xdg-desktop-menu rPx, /{usr/,}bin/xdg-icon-resource rPx, - # Opera home files + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{HOME}/ r, owner @{OPERA_HOMEDIR}/ rw, owner @{OPERA_HOMEDIR}/** rwk, - # Cache files owner @{user_cache_dirs}/ rw, owner @{OPERA_CACHEDIR}/{,**/} rw, owner @{OPERA_CACHEDIR}/**/{*-,}index rw, @@ -67,38 +75,31 @@ profile opera @{exec_path} { owner @{OPERA_CACHEDIR}/**/todelete_* rw, # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, - # Needed or opera crashes with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny owner @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, @@ -110,60 +111,22 @@ profile opera @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - # To play DRM media (protected content) - /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, - /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, + @{run}/udev/data/* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration @{sys}/bus/ r, @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/irq r, - - # For crashreporter - owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/ r, # Silencer deny @{OPERA_INSTALLDIR}/** w, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists }