# Author: Jamie Strandboge #include # Debian compatibility aliases # https://bugs.debian.org/742829 # alias /etc/chromium-browser/ -> /etc/chromium/, alias /usr/bin/chromium-browser -> /usr/bin/chromium, alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox, alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium, alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, # We need 'flags=(attach_disconnected)' in newer chromium versions /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { #include #include #include #include #include #include #include #include # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if # you want access to productivity applications, adjust the following file # accordingly. #include # Networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, # Should maybe be in abstractions /etc/mime.types r, /etc/mailcap r, /etc/mtab r, /etc/xdg/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, @{PROC}/[0-9]*/fd/ r, @{PROC}/filesystems r, @{PROC}/ r, @{PROC}/[0-9]*/task/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/io r, owner @{PROC}/[0-9]*/setgroups w, owner @{PROC}/[0-9]*/{uid,gid}_map w, @{PROC}/[0-9]*/smaps r, owner @{PROC}/[0-9]*/stat r, @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/[0-9]*/status r, deny @{PROC}/[0-9]*/oom_{,score_}adj w, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/ipv4/tcp_fastopen r, # Newer chromium needs these now /etc/udev/udev.conf r, /sys/devices/**/uevent r, /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, /sys/devices/system/node/node*/meminfo r, /sys/devices/pci[0-9]*/**/class r, /sys/devices/pci[0-9]*/**/device r, /sys/devices/pci[0-9]*/**/irq r, /sys/devices/pci[0-9]*/**/resource r, /sys/devices/pci[0-9]*/**/vendor r, /sys/devices/pci[0-9]*/**/removable r, /sys/devices/pci[0-9]*/**/block/**/size r, /sys/devices/virtual/block/**/removable r, /sys/devices/virtual/block/**/size r, /sys/devices/virtual/tty/tty*/active r, # This is requested, but doesn't seem to actually be needed so deny for now deny /run/udev/data/** r, # Needed for the crash reporter owner @{PROC}/[0-9]*/auxv r, # chromium mmaps all kinds of things for speed. /etc/passwd m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/fonts/**/*.pfb m, /usr/share/mime/mime.cache m, /usr/share/icons/**/*.cache m, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/.local/share/mime/mime.cache m, owner /tmp/** m, @{PROC}/sys/kernel/shmmax r, owner /{dev,run}/shm/{,.}org.chromium.* mrw, owner /{,var/}run/shm/shmfd-* mrw, /usr/lib/chromium-browser/*.pak mr, /usr/lib/chromium-browser/locales/* mr, # Noisy deny /usr/lib/chromium-browser/** w, capability sys_admin, capability sys_chroot, capability sys_ptrace, # Allow ptracing ourselves ptrace (trace) peer=@{profile_name}, # Make browsing directories work / r, /**/ r, # Allow access to documentation and other files the user may want to look # at in /usr /usr/{include,share,src}** r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # For migration owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.mozilla/firefox/*/prefs.js r, # Helpers /usr/bin/xdg-open ixr, /usr/bin/gnome-open ixr, /usr/bin/gvfs-open ixr, /usr/bin/kdialog ixr, # TODO: xfce # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** # which is provided by abstractions/ubuntu-browsers.d/user-files). /etc/firefox/profile/bookmarks.html r, owner @{HOME}/.mozilla/** k, # Chromium Policies /etc/chromium-browser/policies/** r, # Chromium configuration owner @{HOME}/.pki/nssdb/* rwk, owner @{HOME}/.cache/chromium/ rw, owner @{HOME}/.cache/chromium/** rw, owner @{HOME}/.cache/chromium/Cache/* mr, owner @{HOME}/.config/chromium/ rw, owner @{HOME}/.config/chromium/** rwk, owner @{HOME}/.config/chromium/**/Cache/* mr, owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, # Allow transitions to ourself and our sandbox /usr/lib/chromium-browser/chromium-browser ix, /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, # Allow communicating with sandbox unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), /{usr/,}bin/ps Uxr, /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, /usr/bin/xdg-settings Cxr -> xdgsettings, /usr/bin/lsb_release Cxr -> lsb_release, # GSettings owner /{,var/}run/user/*/dconf/ rw, owner /{,var/}run/user/*/dconf/user rw, owner @{HOME}/.config/dconf/user r, profile xdgsettings { #include #include /{usr/,}bin/dash ixr, /etc/ld.so.cache r, /etc/xdg/** r, /usr/bin/xdg-settings r, /usr/lib/chromium-browser/xdg-settings r, /usr/share/applications/*.desktop r, # Checking default browser /{usr/,}bin/grep ixr, /{usr/,}bin/readlink ixr, /{usr/,}bin/sed ixr, /{usr/,}bin/which ixr, /usr/bin/basename ixr, /usr/bin/cut ixr, # Setting the default browser /{usr/,}bin/mkdir ixr, /{usr/,}bin/mv ixr, /{usr/,}bin/touch ixr, /usr/bin/dirname ixr, /usr/bin/gconftool-2 ix, /usr/bin/[gm]awk ixr, /usr/bin/xdg-mime ixr, owner @{HOME}/.local/share/applications/ w, owner @{HOME}/.local/share/applications/mimeapps.list* rw, } profile lsb_release { #include #include /usr/bin/lsb_release r, /{usr/,}bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2.[4567]/pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /etc/dpkg/origins/** r, /usr/share/distro-info/** r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-9]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-9] mr, } # Site-specific additions and overrides. See local/README for details. #include profile chromium_browser_sandbox { # Be fanatical since it is setuid root and don't use an abstraction /{usr/,}lib/libgcc_s.so* mr, /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, /{usr/,}lib{,32,64}/libm-*.so* mr, /{usr/,}lib/@{multiarch}/libm-*.so* mr, /{usr/,}lib{,32,64}/libpthread-*.so* mr, /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, /{usr/,}lib{,32,64}/libc-*.so* mr, /{usr/,}lib/@{multiarch}/libc-*.so* mr, /{usr/,}lib{,32,64}/libld-*.so* mr, /{usr/,}lib/@{multiarch}/libld-*.so* mr, /{usr/,}lib{,32,64}/ld-*.so* mr, /{usr/,}lib/@{multiarch}/ld-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, /usr/lib/libstdc++.so* mr, /usr/lib/@{multiarch}/libstdc++.so* mr, /etc/ld.so.cache r, # Required for dropping into PID namespace. Keep in mind that until the # process drops this capability it can escape confinement, but once it # drops CAP_SYS_ADMIN we are ok. capability sys_admin, # All of these are for sanely dropping from root and chrooting capability chown, capability fsetid, capability setgid, capability setuid, capability dac_override, capability sys_chroot, capability sys_ptrace, ptrace (read, readby), signal (receive) peer=unconfined, signal peer=@{profile_name}, signal (receive, send) set=("exists"), signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), unix (create), unix peer=(label=@{profile_name}), unix (getattr, getopt, setopt, shutdown) addr=none, @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, deny @{PROC}/[0-9]*/oom_adj w, deny @{PROC}/[0-9]*/oom_score_adj w, @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/task/[0-9]*/stat r, /usr/bin/chromium-browser r, /usr/lib/chromium-browser/chromium-browser Px, /usr/lib/chromium-browser/chromium-browser-sandbox r, /usr/lib/chromium-browser/chrome-sandbox mr, /dev/null rw, owner /tmp/** rw, } }