diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers')
| -rw-r--r-- | straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers new file mode 100644 index 0000000..d5f2243 --- /dev/null +++ b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers @@ -0,0 +1,98 @@ +# Lenient profile that is intended to be used when 'Ux' is desired but +# does not provide enough environment sanitizing. This effectively is an +# open profile that blacklists certain known dangerous files and also +# does not allow any capabilities. For example, it will not allow 'm' on files +# owned be the user invoking the program. While this provides some additional +# protection, please use with care as applications running under this profile +# are effectively running without any AppArmor protection. Use this profile +# only if the process absolutely must be run (effectively) unconfined. +# +# Usage: +# Because this abstraction defines the sanitized_helper profile, it must only +# be included once. Therefore this abstraction should typically not be +# included in other abstractions so as to avoid parser errors regarding +# multiple definitions. +# +# Limitations: +# 1. This does not work for root owned processes, because of the way we use +# owner matching in the sanitized helper. We could do a better job with +# this to support root, but it would make the policy harder to understand +# and going unconfined as root is not desirable any way. +# +# 2. For this sanitized_helper to work, the program running in the sanitized +# environment must open symlinks directly in order for AppArmor to mediate +# it. This is confirmed to work with: +# - compiled code which can load shared libraries +# - python imports +# It is known not to work with: +# - perl includes +# 3. Sanitizing ruby and java +# +# Use at your own risk. This profile was developed as an interim workaround for +# LP: #851986 until AppArmor utilizes proper environment filtering. + + abi <abi/4.0>, + +profile sanitized_helper { + include <abstractions/base> + include <abstractions/X> + include if exists <local/ubuntu-helpers> + + # Allow all networking + network inet, + network inet6, + + # Allow all DBus communications + include <abstractions/dbus-session-strict> + include <abstractions/dbus-strict> + dbus, + + # Needed for Google Chrome + ptrace (trace) peer=**//sanitized_helper, + + # Allow exec of anything, but under this profile. Allow transition + # to other profiles if they exist. + /{usr/,usr/local/,}{bin,sbin}/* Pixr, + + # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* + /usr/{,local/}lib*/{,**/}* Pixr, + + # Allow exec of software-center scripts. We may need to allow wider + # permissions for /usr/share, but for now just do this. (LP: #972367) + /usr/share/software-center/* Pixr, + + # Allow exec of texlive font build scripts (LP: #1010909) + /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, + + # While the chromium and chrome sandboxes are setuid root, they only link + # in limited libraries so glibc's secure execution should be enough to not + # require the santized_helper (ie, LD_PRELOAD will only use standard system + # paths (man ld.so)). + /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, + /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, + /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, + /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, + /opt/google/chrome{,-beta,-unstable}/chrome Pixr, + /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr, + /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, + + # The same is needed for Brave + /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m, + + # Allow running snap applications + # https://bugs.launchpad.net/apparmor/+bug/2095872 + /usr/bin/snap ux, + + # Full access + / r, + /** rwkl, + /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, + + # Dangerous files + audit deny owner /**/* m, # compiled libraries + audit deny owner /**/*.py* r, # python imports +} |
