aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers')
-rw-r--r--straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers98
1 files changed, 98 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
new file mode 100644
index 0000000..d5f2243
--- /dev/null
+++ b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
@@ -0,0 +1,98 @@
+# Lenient profile that is intended to be used when 'Ux' is desired but
+# does not provide enough environment sanitizing. This effectively is an
+# open profile that blacklists certain known dangerous files and also
+# does not allow any capabilities. For example, it will not allow 'm' on files
+# owned be the user invoking the program. While this provides some additional
+# protection, please use with care as applications running under this profile
+# are effectively running without any AppArmor protection. Use this profile
+# only if the process absolutely must be run (effectively) unconfined.
+#
+# Usage:
+# Because this abstraction defines the sanitized_helper profile, it must only
+# be included once. Therefore this abstraction should typically not be
+# included in other abstractions so as to avoid parser errors regarding
+# multiple definitions.
+#
+# Limitations:
+# 1. This does not work for root owned processes, because of the way we use
+# owner matching in the sanitized helper. We could do a better job with
+# this to support root, but it would make the policy harder to understand
+# and going unconfined as root is not desirable any way.
+#
+# 2. For this sanitized_helper to work, the program running in the sanitized
+# environment must open symlinks directly in order for AppArmor to mediate
+# it. This is confirmed to work with:
+# - compiled code which can load shared libraries
+# - python imports
+# It is known not to work with:
+# - perl includes
+# 3. Sanitizing ruby and java
+#
+# Use at your own risk. This profile was developed as an interim workaround for
+# LP: #851986 until AppArmor utilizes proper environment filtering.
+
+ abi <abi/4.0>,
+
+profile sanitized_helper {
+ include <abstractions/base>
+ include <abstractions/X>
+ include if exists <local/ubuntu-helpers>
+
+ # Allow all networking
+ network inet,
+ network inet6,
+
+ # Allow all DBus communications
+ include <abstractions/dbus-session-strict>
+ include <abstractions/dbus-strict>
+ dbus,
+
+ # Needed for Google Chrome
+ ptrace (trace) peer=**//sanitized_helper,
+
+ # Allow exec of anything, but under this profile. Allow transition
+ # to other profiles if they exist.
+ /{usr/,usr/local/,}{bin,sbin}/* Pixr,
+
+ # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
+ /usr/{,local/}lib*/{,**/}* Pixr,
+
+ # Allow exec of software-center scripts. We may need to allow wider
+ # permissions for /usr/share, but for now just do this. (LP: #972367)
+ /usr/share/software-center/* Pixr,
+
+ # Allow exec of texlive font build scripts (LP: #1010909)
+ /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
+ # While the chromium and chrome sandboxes are setuid root, they only link
+ # in limited libraries so glibc's secure execution should be enough to not
+ # require the santized_helper (ie, LD_PRELOAD will only use standard system
+ # paths (man ld.so)).
+ /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
+ /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+
+ # The same is needed for Brave
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
+ # Allow running snap applications
+ # https://bugs.launchpad.net/apparmor/+bug/2095872
+ /usr/bin/snap ux,
+
+ # Full access
+ / r,
+ /** rwkl,
+ /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+
+ # Dangerous files
+ audit deny owner /**/* m, # compiled libraries
+ audit deny owner /**/*.py* r, # python imports
+}