mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Merge profiles: update snap_browsers permissions

Browse Source 
The snap_browsers abstraction requires more permissions
due to updates on snaps.

Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
    all dbus permissions,
    @{PROC}/sys/kernel/random/uuid r,
    owner @{PROC}/@{pid}/cgroup r,
    /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```

I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bfa67b369d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2022-04-19 18:35:52 +00:00
committed by John Johansen
parent 80400e0aa7
commit ae03462f25
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
profiles/apparmor.d/abstractions/snap_browsers
View File

@@ -1,6 +1,7 @@
profile snap_browsers { profile snap_browsers {
include if exists <abstractions/snap_browsers.d> include if exists <abstractions/snap_browsers.d>
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
/etc/passwd r, /etc/passwd r,
/etc/nsswitch.conf r, /etc/nsswitch.conf r,
@@ -8,7 +9,6 @@ profile snap_browsers {
# noisy # noisy
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
deny /run/snapd.socket rw,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r, /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
@@ -16,14 +16,19 @@ profile snap_browsers {
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix, /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix, /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
/var/lib/snapd/system-key r, /var/lib/snapd/system-key r,
/run/snapd.socket rw,
@{PROC}/version r, @{PROC}/version r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{HOME}/.snap/auth.json r, # if exists, required owner @{HOME}/.snap/auth.json r, # if exists, required
owner /run/user/[0-9]*/bus rw,
dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
/sys/kernel/security/apparmor/features/ r, /sys/kernel/security/apparmor/features/ r,
@@ -31,5 +36,7 @@ profile snap_browsers {
/snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r, /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
/snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r, /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r, /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
# add other browsers here # add other browsers here
} }