Prepare for AppArmor 4.0 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

common/Version

@@ -1 +1 @@
-4.0.0~beta4
+4.0.0

parser/apparmor.d.pod

@@ -148,7 +148,14 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
 
-B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
+B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<NETWORK ACCESS EXPR> ] [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ] [ I<NETWORK LOCAL EXPR> ] [ I<NETWORK PEER EXPR> ]
+
+B<NETWORK ACCESS EXPR> = ( I<NETWORK ACCESS> | I<NETWORK ACCESS LIST> )
+
+B<NETWORK ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
+  Some access modes are incompatible with some rules.
+
+B<NETWORK ACCESS LIST> = '(' I<NETWORK ACCESS> ( [','] I<NETWORK ACCESS> )* ')'
 
 B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
 
@@ -156,6 +163,22 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
 B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
 
+B<NETWORK LOCAL EXPR> = ( I<NETWORK IP COND> | I<NETWORK PORT COND> )*
+  Each cond can appear at most once.
+
+B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND> )+ ')'
+  Each cond can appear at most once.
+
+B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
+
+B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
+
+B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
+
+B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
+
+B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
+
 B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
 
 B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
@@ -912,11 +935,10 @@ and other operations that are typically reserved for the root user.
 
 =head2 Network Rules
 
-AppArmor supports simple coarse grained network mediation.  The network
-rule restrict all socket(2) based operations.  The mediation done is
-a coarse-grained check on whether a socket of a given type and family
-can be created, read, or written.  There is no mediation based of port
-number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
+AppArmor supports simple coarse grained network mediation.  The
+network rule restrict all socket(2) based operations.  The mediation
+done is a coarse-grained check on whether a socket of a given type and
+family can be created, read, or written. Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.
 
 AppArmor network rules are accumulated so that the granted network
@@ -933,6 +955,48 @@ eg.
  network inet6 tcp,	#allow access to tcp only for inet6 addresses
  network netlink raw,	#allow access to AF_NETLINK SOCK_RAW
 
+=head3 Network permissions
+
+Network rule permissions are implied when a rule does not explicitly
+state an access list. By default if a rule does not have an access
+list all permissions that are compatible with the specified set of
+local and peer conditionals are implied.
+
+The create, bind, listen, shutdown, getattr, setattr, getopt, and
+setopt permissions are local socket permissions. They are only applied
+to the local socket and can't be specified in rules that have a peer
+conditional. The accept permission applies to the combination of a
+local and peer socket. The connect, send, and receive permissions are
+peer socket permissions.
+
+=head3 Mediation of inet/inet6 family
+
+AppArmor supports fine grained mediation of the inet and inet6
+families by using the ip and port conditionals. The ip conditional
+accepts both IPv4 and IPv6 using the regular representation of four
+octets separated by '.' for IPv4 and eight groups of four hexadecimal
+numbers separated by ':' for IPv6. Contiguous leading zeros can be
+replaced by '::' once. On a connected socket, the sender and receiver
+don't need to be specified in the recvfrom and sendto system calls. In
+that case, and with unbounded sockets, the IP address is none, or
+unknown. Unknown or Unbound IP addresses are represented in policy by the
+'none' keyword. When the ip conditional is omitted, then all IP
+addresses will be allowed: IPv4, IPv6 and none. If INADDR_ANY or
+in6addr_any is used, then the ip conditional can be omitted or they
+can be represented by:
+
+ network ip=::,		#allow in6addr_any
+ network ip=0.0.0.0;	#allow INADDR_ANY
+
+The network rules support the specification of local and remote IP
+addresses and ports.
+
+ network ip=127.0.0.1 port=8080,
+ network peer=(ip=10.139.15.23 port=8081),
+ network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
+ network port=8080 peer=(port=8081),
+ network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
+
 =head2 Mount Rules
 
 AppArmor supports mount mediation and allows specifying filesystem types and

parser/network.cc

@@ -360,8 +360,8 @@ bool network_rule::parse_port(ip_conds &entry)
 
 bool network_rule::parse_address(ip_conds &entry)
 {
-	if (strcmp(entry.sip, "anon") == 0) {
-		entry.is_anonymous = true;
+	if (strcmp(entry.sip, "none") == 0) {
+		entry.is_none = true;
 		return true;
 	}
 	entry.is_ip = true;
@@ -405,17 +405,31 @@ network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
 			   struct cond_entry *peer_conds):
 	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
-	size_t family_index;
-	for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
-		network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
-		set_netperm(family_index, 0xFFFFFFFF, 0xFFFFFFFF);
-	}
+	size_t family_index, i;
 
 	move_conditionals(conds, local);
 	move_conditionals(peer_conds, peer);
 	free_cond_list(conds);
 	free_cond_list(peer_conds);
 
+	if (has_local_conds() || has_peer_conds()) {
+		const char *family[] = { "inet", "inet6" };
+		for (i = 0; i < sizeof(family)/sizeof(family[0]); i++) {
+			const struct network_tuple *mapping = NULL;
+			while ((mapping = net_find_mapping(mapping, family[i], NULL, NULL))) {
+				network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
+				set_netperm(mapping->family, mapping->type, mapping->protocol);
+			}
+		}
+	} else {
+		for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
+			network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
+			set_netperm(family_index, 0xFFFFFFFF, 0xFFFFFFFF);
+		}
+	}
+
+
+
 	if (perms_p) {
 		perms = perms_p;
 		if (perms & ~AA_VALID_NET_PERMS)
@@ -433,13 +447,34 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
 	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	const struct network_tuple *mapping = NULL;
+
+	move_conditionals(conds, local);
+	move_conditionals(peer_conds, peer);
+	free_cond_list(conds);
+	free_cond_list(peer_conds);
+
 	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
+		/* if inet conds and family are specified, fail if
+		 * family is not af_inet or af_inet6
+		 */
+		if ((has_local_conds() || has_peer_conds()) &&
+		    mapping->family != AF_INET && mapping->family != AF_INET6) {
+			yyerror("network family does not support local or peer conditionals\n");
+		}
 		network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
 		set_netperm(mapping->family, mapping->type, mapping->protocol);
 	}
 
 	if (type == NULL && network_map.empty()) {
 		while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
+			/* if inet conds and type/protocol are
+			 * specified, only add rules for af_inet and
+			 * af_inet6
+			 */
+			if ((has_local_conds() || has_peer_conds()) &&
+			    mapping->family != AF_INET && mapping->family != AF_INET6)
+				continue;
+
 			network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
 			set_netperm(mapping->family, mapping->type, mapping->protocol);
 		}
@@ -448,11 +483,6 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
 	if (network_map.empty())
 		yyerror(_("Invalid network entry."));
 
-	move_conditionals(conds, local);
-	move_conditionals(peer_conds, peer);
-	free_cond_list(conds);
-	free_cond_list(peer_conds);
-
 	if (perms_p) {
 		perms = perms_p;
 		if (perms & ~AA_VALID_NET_PERMS)
@@ -585,13 +615,13 @@ std::string gen_port_cond(uint16_t port)
 std::list<std::ostringstream> gen_all_ip_options(std::ostringstream &oss) {
 
 	std::list<std::ostringstream> all_streams;
-	std::ostringstream anon, ipv4, ipv6;
+	std::ostringstream none, ipv4, ipv6;
 	int i;
-	anon << oss.str();
+	none << oss.str();
 	ipv4 << oss.str();
 	ipv6 << oss.str();
 
-	anon << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ANON_SIZE;
+	none << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
 
 	/* add a byte containing the size of the following ip */
 	ipv4 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
@@ -603,7 +633,7 @@ std::list<std::ostringstream> gen_all_ip_options(std::ostringstream &oss) {
 	for (i = 0; i < 16; ++i)
 		ipv6 << ".";
 
-	all_streams.push_back(std::move(anon));
+	all_streams.push_back(std::move(none));
 	all_streams.push_back(std::move(ipv4));
 	all_streams.push_back(std::move(ipv6));
 
@@ -627,7 +657,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 	std::list<std::ostringstream> ip_streams;
 
 	for (auto &oss : streams) {
-		if (entry.is_port && !(entry.is_ip && entry.is_anonymous)) {
+		if (entry.is_port && !(entry.is_ip && entry.is_none)) {
 			/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
 			if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
 				oss << "\\x01";
@@ -650,8 +680,8 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 		if (entry.is_ip) {
 			oss << gen_ip_cond(entry.ip);
 			streams.push_back(std::move(oss));
-		} else if (entry.is_anonymous) {
-			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ANON_SIZE;
+		} else if (entry.is_none) {
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
 			streams.push_back(std::move(oss));
 		} else {
 			streams.splice(streams.end(), gen_all_ip_options(oss));
@@ -898,7 +928,7 @@ static int cmp_ip_conds(ip_conds const &lhs, ip_conds const &rhs)
 	res = null_strcmp(lhs.sport, rhs.sport);
 	if (res)
 		return res;
-	return lhs.is_anonymous - rhs.is_anonymous;
+	return lhs.is_none - rhs.is_none;
 }
 
 static int cmp_network_map(std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> lhs,

parser/network.h

@@ -80,7 +80,7 @@
 #define CMD_LISTEN	2
 #define CMD_OPT		4
 
-#define ANON_SIZE	0
+#define NONE_SIZE	0
 #define IPV4_SIZE	1
 #define IPV6_SIZE	2
 
@@ -132,7 +132,7 @@ public:
 	uint16_t port;
 	struct ip_address ip;
 
-	bool is_anonymous = false;
+	bool is_none = false;
 
 	void free_conds() {
 		if (sip)

parser/tst/simple_tests/network/network_bad_83.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network unix ip=127.0.0.1 port=1234 peer=(ip=127.0.0.1 port=1234),
+
+}

parser/tst/simple_tests/network/network_bad_84.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network netlink ip=127.0.0.1,
+
+}

parser/tst/simple_tests/network/network_bad_85.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network packet peer=(port=1234),
+
+}

parser/tst/simple_tests/network/network_ok_43.sd

@@ -5,5 +5,7 @@
 /usr/bin/foo {
   network inet ip=10.0.2.1 peer=(ip=10.0.2.1),
   network inet tcp ip=192.168.2.254 peer=(ip=192.168.2.254),
+  network stream ip=192.168.2.254 peer=(ip=192.168.2.254),
+  network raw ip=10.0.2.1 peer=(ip=10.0.2.1),
 
 }

parser/tst/simple_tests/network/network_ok_44.sd

@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION network none ip conditional test
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network ip=none,
+  network peer=(ip=none),
+  network inet ip=none peer=(ip=none),
+  network inet tcp ip=none peer=(ip=none),
+
+}

profiles/apparmor.d/abstractions/transmission-common

@@ -0,0 +1,153 @@
+# vim:syntax=apparmor
+# LOGPROF-SUGGEST: no
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet    dgram,
+  network inet6   dgram,
+  network netlink dgram,
+  network inet    stream,
+  network inet6   stream,
+
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.Transmission,
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.transmission_*,
+
+  dbus (receive)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Notify,
+  dbus (send)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Change
+       peer=(name=ca.desrt.dconf),
+
+  dbus (receive)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set,
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetDeviceEventListeners,GetKeystrokeListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send)
+       bus={accessibility,session}
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       path=/StatusNotifierWatcher
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/StatusNotifierWatcher
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/org/a11y/bus
+       member=Get
+       peer=(name=org.a11y.Bus),
+  dbus (send)
+       bus=system
+       interface=org.freedesktop.DBus.Properties
+       path=/org/freedesktop/hostname1
+       member=GetAll,
+
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.Notifications
+       path=/org/freedesktop/Notifications
+       member={GetCapabilities,Notify},
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={IsSupported,List},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member={GetConnection,ListMonitorImplementations},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mount/[1-9]*
+       interface=org.gtk.vfs.Mount
+       member={CreateFileMonitor,Enumerate,QueryInfo},
+  dbus (receive)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=Mounted,
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member={ListMountableInfo,ListMounts2,LookupMount},
+
+  @{PROC}/sys/kernel/random/uuid r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+
+  @{etc_ro}/fstab r,
+
+  @{system_share_dirs}/hwdata/** r,
+  @{system_share_dirs}/lxqt/**   r,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  # allow a top-level directory listing
+  @{HOME}/ r,
+
+  owner @{HOME}/.cache/transmission/    w,
+  owner @{HOME}/.cache/transmission/**  rw,
+  owner @{HOME}/.config/transmission/   w,
+  owner @{HOME}/.config/transmission/** rw,
+
+  owner @{HOME}/.config/lxqt/lxqt.conf  r,
+
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/    r,
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/**  rw,
+
+  # exclude these for now
+  deny /usr/share/thumbnailers/ r,
+  deny @{HOME}/.local/share/gvfs-metadata/** r,
+  deny @{HOME}/.config/lxqt/**  rw,
+
+  include if exists <abstractions/transmission-common.d>

profiles/apparmor.d/foliate

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile foliate /usr/bin/foliate flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/foliate>
+}

profiles/apparmor.d/transmission

@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
+  # Don't use abstractions/transmission-common here, as the
+  # access needed is narrower than the user applications
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet  dgram,
+  network inet6 dgram,
+  network inet  stream,
+  network inet6 stream,
+
+  owner @{PROC}/@{pid}/mounts r,
+  @{PROC}/sys/kernel/random/uuid r,
+
+  @{run}/systemd/notify w,
+
+  /etc/transmission-daemon/** r,
+  owner /etc/transmission-daemon/settings.json{,.tmp.*} rw,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  /usr/share/transmission/web/** r,
+
+  owner /var/lib/transmission-daemon/.config/transmission-daemon/** rw,
+  owner /var/lib/transmission-daemon/downloads/** rw,
+  owner /var/lib/transmission-daemon/info/**      rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-daemon>
+}
+
+profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/consoles>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-cli>
+}
+
+profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
+  include <abstractions/gnome>
+
+  owner @{run}/user/*/dconf/user w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-gtk>
+}
+
+profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/fonts>
+  include <abstractions/X>
+  include <abstractions/qt5>
+  include <abstractions/qt5-settings-write>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-qt>
+}

profiles/apparmor/profiles/extras/chromium_browser

@@ -12,7 +12,7 @@
 
 abi <abi/4.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{chromium} = chromium{,-browser}
 
@@ -22,10 +22,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   include <abstractions/cups-client>
   include <abstractions/dbus-session>
   include <abstractions/dbus-strict>
+  include <abstractions/fonts>
   include <abstractions/gnome>
   include <abstractions/ibus>
+  include <abstractions/mesa>
   include <abstractions/nameservice>
   include <abstractions/user-tmp>
+  include <abstractions/vulkan>
 
   # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
   # you want access to productivity applications, adjust the following file
@@ -57,14 +60,48 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
        member={EnumerateDevices,GetDisplayDevice}
        peer=(label=unconfined),
 
-  # ???
-  deny dbus (send)
+  dbus (send)
        bus=system
        path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(label=unconfined),
 
+  dbus (receive)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member={SessionNew,SessionRemoved}
+       peer=(label=unconfined),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,NameHasOwner,RemoveMatch,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.portal.Desktop),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation}
+       peer=(name=org.freedesktop.Notifications),
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(label=unconfined),
+
   # Networking
   network inet stream,
   network inet6 stream,
@@ -72,30 +109,35 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   @{PROC}/@{pid}/net/ipv6_route r,
 
   # Should maybe be in abstractions
+  /etc/fstab r,
   /etc/mime.types r,
   /etc/mailcap r,
   /etc/mtab r,
   /etc/xdg/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.cache/thumbnails/** r,
   owner @{HOME}/.local/share/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/mimeinfo.cache r,
   /tmp/.X[0-9]*-lock r,
 
   @{PROC}/self/exe ixr,
-  @{PROC}/@{pid}/fd/ r,
   @{PROC}/filesystems r,
+  @{PROC}/pressure/{cpu,io,memory} r,
   @{PROC}/vmstat r,
   @{PROC}/ r,
-  @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/clear_refs w,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/setgroups w,
   owner @{PROC}/@{pid}/{uid,gid}_map w,
-  @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/smaps r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/@{pid}/statm r,
-  @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   deny @{PROC}/@{pid}/oom_{,score_}adj w,
+  @{PROC}/sys/fs/inotify/max_user_watches r,
   @{PROC}/sys/kernel/yama/ptrace_scope r,
   @{PROC}/sys/net/ipv4/tcp_fastopen r,
 
@@ -105,13 +147,24 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /sys/devices/**/uevent r,
   /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r,
   /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+  /sys/devices/system/cpu/kernel_max r,
+  /sys/devices/system/cpu/possible r,
+  /sys/devices/system/cpu/present r,
   /sys/devices/system/node/node*/meminfo r,
+  /sys/devices/pci[0-9]*/**/bConfigurationValue r,
+  /sys/devices/pci[0-9]*/**/boot_vga r,
+  /sys/devices/pci[0-9]*/**/busnum r,
   /sys/devices/pci[0-9]*/**/class r,
   /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/descriptors r,
   /sys/devices/pci[0-9]*/**/device r,
+  /sys/devices/pci[0-9]*/**/devnum r,
   /sys/devices/pci[0-9]*/**/irq r,
+  /sys/devices/pci[0-9]*/**/manufacturer r,
+  /sys/devices/pci[0-9]*/**/product r,
   /sys/devices/pci[0-9]*/**/resource r,
   /sys/devices/pci[0-9]*/**/revision r,
+  /sys/devices/pci[0-9]*/**/serial r,
   /sys/devices/pci[0-9]*/**/subsystem_device r,
   /sys/devices/pci[0-9]*/**/subsystem_vendor r,
   /sys/devices/pci[0-9]*/**/vendor r,
@@ -122,6 +175,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /sys/devices/virtual/tty/tty*/active r,
   # This is requested, but doesn't seem to actually be needed so deny for now
   deny /run/udev/data/** r,
+  deny /sys/devices/virtual/dmi/id/* r,
 
   # Needed for the crash reporter
   owner @{PROC}/@{pid}/auxv r,
@@ -132,13 +186,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /usr/share/fonts/**/*.pfb m,
   /usr/share/mime/mime.cache m,
   /usr/share/icons/**/*.cache m,
-  owner /{dev,run}/shm/pulse-shm* m,
+  owner /{dev,run,var/run}/shm/pulse-shm* m,
   owner @{HOME}/.local/share/mime/mime.cache m,
   owner /tmp/** m,
 
   @{PROC}/sys/kernel/shmmax r,
-  owner /{dev,run}/shm/{,.}org.chromium.* mrw,
-  owner /{,var/}run/shm/shmfd-* mrw,
+  owner /{dev,run,var/run}/shm/{,.}org.chromium.* mrw,
+  owner /{dev,run,var/run}/shm/shmfd-* mrw,
 
   /usr/lib/@{chromium}/*.pak mr,
   /usr/lib/@{chromium}/locales/* mr,
@@ -149,8 +203,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
 
   # Allow ptracing ourselves and our helpers
   ptrace (trace) peer=@{profile_name},
-  ptrace (trace) peer=@{profile_name}//xdgsettings,
-  ptrace (trace) peer=lsb_release,
+  ptrace (read, trace) peer=@{profile_name}//xdgsettings,
+  ptrace (read, trace) peer=lsb_release,
 
   # Make browsing directories work
   / r,
@@ -183,10 +237,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /etc/firefox/profile/bookmarks.html r,
   owner @{HOME}/.mozilla/** k,
 
-  # Chromium Policies
-  /etc/@{chromium}/policies/** r,
-
   # Chromium configuration
+  /etc/@{chromium}/** r,
+  # Note: "~/.pki/{,nssdb/} w" is denied by private-files abstraction
   owner @{HOME}/.pki/nssdb/* rwk,
   owner @{HOME}/.cache/chromium/ rw,
   owner @{HOME}/.cache/chromium/** rw,
@@ -197,12 +250,18 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
   owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
 
-  # Allow transitions to ourself and our sandbox
+  # Widevine CDM plugin
+  owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr,
+
+  # Allow transitions to ourself, our sandbox, and crash handler
   /usr/lib/@{chromium}/@{chromium} ix,
   /usr/lib/@{chromium}/chrome-sandbox cx -> sandbox,
+  /usr/lib/@{chromium}/chrome_crashpad_handler Cxr -> crashpad_handler,
 
-  # Allow communicating with sandbox
+  # Allow communicating with sandbox and crash handler
   unix (receive, send) peer=(label=@{profile_name}//sandbox),
+  unix (receive, send) peer=(label=@{profile_name}//crashpad_handler),
+  signal (receive) set=(cont) peer=@{profile_name}//crashpad_handler,
 
   /{usr/,}bin/ps Uxr,
   /usr/lib/@{chromium}/xdg-settings Cxr -> xdgsettings,
@@ -210,10 +269,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /usr/bin/lsb_release Pxr -> lsb_release,
 
   # GSettings
-  owner /{,var/}run/user/*/dconf/     rw,
-  owner /{,var/}run/user/*/dconf/user rw,
+  owner @{run}/user/[0-9]*/dconf/     rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
   owner @{HOME}/.config/dconf/user r,
 
+  # GVfs
+  owner @{run}/user/[0-9]*/gvfsd/socket-* rw,
+
   # Magnet links
   /usr/bin/gio ixr,
 
@@ -230,7 +292,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     /etc/ld.so.cache r,
     /etc/xdg/** r,
     /usr/bin/xdg-settings r,
-    /{usr/,}lib{,32,64}/@{chromium}/xdg-settings r,
+    /usr/lib/@{chromium}/xdg-settings r,
     /usr/share/applications/*.desktop r,
     /usr/share/applications/*.list r,
 
@@ -266,6 +328,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
     /{usr/,}lib{,32,64}/libatomic.so* mr,
     /{usr/,}lib/@{multiarch}/libatomic.so* mr,
+    /{usr/,}lib{,32,64}/libc.so.* mr,
+    /{usr/,}lib/@{multiarch}/libc.so.* mr,
     /{usr/,}lib{,32,64}/libc-*.so* mr,
     /{usr/,}lib/@{multiarch}/libc-*.so* mr,
     /{usr/,}lib{,32,64}/libdl-*.so* mr,
@@ -326,6 +390,32 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     owner /tmp/** rw,
   }
 
+  profile crashpad_handler {
+    include <abstractions/base>
+
+    capability sys_ptrace,
+
+    ptrace (read, trace) peer=chromium_browser,
+
+    signal (send) set=(cont) peer=chromium_browser,
+
+    unix (receive, send) peer=(label=chromium_browser),
+
+    /usr/lib/@{chromium}/chrome_crashpad_handler ixr,
+
+    /sys/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,max}_freq r,
+
+    @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/mem r,
+    owner @{PROC}/@{pid}/stat r,
+    owner @{PROC}/@{pid}/task/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm r,
+
+    owner @{HOME}/.config/chromium/Crash?Reports/** rwk,
+  }
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/chromium_browser>
 }

profiles/apparmor/wike

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile wike /usr/bin/wike flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/wike>
+}

utils/test/test-parser-simple-tests.py

@@ -492,6 +492,7 @@ syntax_failure = (
     'network/network_ok_41.sd',
     'network/network_ok_42.sd',
     'network/network_ok_43.sd',
+    'network/network_ok_44.sd',
     'network/perms/ok_accept_1.sd',
     'network/perms/ok_accept_2.sd',
     'network/perms/ok_attr_1.sd',