Snappy

Bug #1586547
Comment #0

Comment 0 for bug 1586547

Revision history for this message

Chad Miller (cmiller) wrote on 2016-05-27: snappy needs security policy for chromium

As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.

apparmor="ALLOWED" operation="capable" profile="snap.chromium.chromium" pid=NNNNN comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/policy.json" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/setgroups" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/uid_map" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/python3.5.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/vim.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/tmp/" pid=NNNNN comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="truncate" profile="snap.chromium.chromium" name="/proc/17939/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.

apparmor="ALLOWED" operation="capable" profile="snap.chromium.chromium" pid=NNNNN comm="chromium-browse" capability=21  capname="sys_admin"
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/policy.json" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/setgroups" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/uid_map" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/python3.5.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/vim.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/tmp/" pid=NNNNN comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="truncate" profile="snap.chromium.chromium" name="/proc/17939/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000