veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/scripts/apparmor/usr.bin.thorium
s8n 3cbffaf714 sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) 
Co-authored-by: veilor-org <admin@veilor.org>
2026-05-02 04:39:39 +01:00

114 lines
3.8 KiB
Text
Raw Blame History

# veilor-os AppArmor profile — Thorium browser (Chromium fork)
#
# Scope:
# Confine the Thorium browser binary at /usr/bin/thorium. Thorium is a
# Chromium derivative; it sandboxes its own renderer/GPU/utility processes,
# but the *browser* process itself runs with the full user's permissions
# unless an MAC layer scopes it down. This profile is that scope.
#
# Mode:
# complain — log violations to audit.log but do NOT block. This is the
# first-fit profile; the user is expected to refine it from observed
# denials before flipping to enforce. See `aa-logprof` to convert audit
# denials into rule additions.
#
# Manual enable:
# sudo install -m 0644 scripts/apparmor/usr.bin.thorium /etc/apparmor.d/
# sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thorium
# sudo aa-complain /etc/apparmor.d/usr.bin.thorium # log only
# sudo aa-enforce /etc/apparmor.d/usr.bin.thorium # block
#
# NOT enabled in kickstart by default. v0.5 work.
#include <tunables/global>
profile thorium /usr/bin/thorium flags=(complain) {
#include <abstractions/base>
#include <abstractions/audio>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/X>
# ---- network: outbound HTTP/HTTPS only ----
network inet stream,
network inet6 stream,
network inet dgram, # DNS resolution
network inet6 dgram,
network netlink raw, # NetworkManager state queries
deny network raw,
deny network packet,
deny network bluetooth,
deny network can,
deny network rds,
deny network sctp,
# ---- binary + libs ----
/usr/bin/thorium mr,
/usr/lib/thorium/** mr,
/usr/share/thorium/** r,
/opt/thorium/** mr,
/etc/thorium/** r,
# ---- per-user state ----
owner @{HOME}/.config/thorium/** rwk,
owner @{HOME}/.cache/thorium/** rwk,
owner @{HOME}/.local/share/thorium/** rwk,
# ---- file pickers: only Downloads is writable ----
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rwk,
owner @{HOME}/Documents/ r,
owner @{HOME}/Documents/** r,
owner @{HOME}/Pictures/ r,
owner @{HOME}/Pictures/** r,
# ---- /proc: own process only, deny memory peeking ----
owner /proc/@{pid}/** r,
deny /proc/*/mem rwk,
deny /proc/*/maps r,
deny /proc/sys/kernel/** w,
# ---- ptrace: forbidden ----
deny ptrace,
deny capability sys_ptrace,
# ---- kernel: no module load, no /dev/kmem, no /dev/mem ----
deny capability sys_module,
deny /dev/kmem rwk,
deny /dev/mem rwk,
deny /dev/port rwk,
deny /sys/kernel/** w,
# ---- temp ----
/tmp/ r,
owner /tmp/** rwk,
/var/tmp/ r,
owner /var/tmp/** rwk,
# ---- system info read-only ----
/etc/machine-id r,
/etc/os-release r,
/etc/localtime r,
/sys/devices/system/cpu/** r,
/sys/class/net/** r,
# ---- chrome sandbox helper (setuid/SUID-like child needs unconfined) ----
/usr/lib/thorium/chrome-sandbox Cx -> sandbox,
/usr/bin/xdg-open Pix,
profile sandbox {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
/usr/lib/thorium/chrome-sandbox mr,
/usr/lib/thorium/** mrix,
/proc/*/setgroups w,
/proc/*/uid_map w,
/proc/*/gid_map w,
}
}
Reference in a new issue View git blame Copy permalink