dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2032
share rss forum feed


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

2 recommendations

Most Secure General Browser On the Planet

Yeah, the title is a bit overboard, but with Linux and Chrome, you can have the most secure browsing setup in any general purpose OS. If there's anything more secure out there (for a fully functional browser on a general purpose OS) I would like to see it.

I prefer to use Chromium, but considering it does not sandbox flash, I decided to bite the bullet and use the official Chrome.

At any rate, my setup has *three* sandboxes for Chrome. Two of them come with Chrome, and one I created with AppArmor.

I am using Ubuntu 12.04 with Google Chrome v. 21.0.1180.89. So these instructions will be for that setup only. People on other distros with AppArmor can probably use most of this, but you will have to tweak your AppArmor profiles a bit.

At any rate, here's how to do it:

STEP 1

Download Chrome. Be sure to select the .deb package (since this is for Ubuntu).

After downloaded, you can right click the .deb file and click "open in software center." Or if you prefer, you can run "sudo dpkg -i filename." From there it will install it to /opt/.

STEP 2:

Chrome comes with two sandboxes. The chroot() sandbox and the SECCOMP sandbox (google and read up on them if interested. The SECCOMP sandbox is pretty cool). SECCOMP is disabled by default, thus you must enable it. The best way to do this is to edit the .desktop file like so:

gksudo gedit /usr/share/applications/google-chrome.desktop
 

Look at the file and find the lines that start with "exec." You will see 3 or so such lines. The first one is on line 108. Change it to look like this:

 Exec=/opt/google/chrome/google-chrome --enable-seccomp-sandbox %U
 

The second one is on line 168. Simply add the --enable-seccomp-sandbox line to the end of it.

And finally, the third one is on line 221. It should look like this:

Exec=/opt/google/chrome/google-chrome --incognito --enable-seccomp-sandbox
 

Now start Chrome from the Unity bar. Once the browser loads, type the following in the URL bar:

about:sandbox
 

You should see the following text:

quote:
Sandbox Status

SUID Sandbox Yes
PID namespaces Yes
Network namespaces Yes
Seccomp sandbox Yes
You are adequately sandboxed.
If so, then you're done with enabling Chrome's built in sandboxes.

STEP 3:

The final step is to setup an AppArmor profile. I wrote a profile from scratch. For Chrome, you have two profiles. One is opt.google.chrome.chrome and the other is opt.google.chrome.chrome-sandbox. I will list them below:

opt.google.chrome.chrome profile:

# Last Modified: Wed Sep 19 08:49:42 2012
#include <tunables/global>
 
/opt/google/chrome/chrome {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/ubuntu-browsers.d/java>
  #include <abstractions/user-tmp>
 
  # For networking.  Decided not to use abstractions here.  
  network inet stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/resolv.conf r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
 
  # Python stuff
  /etc/python2.7/sitecustomize.py r,
  /usr/include/python2.7/ r,
  /usr/include/python2.7/** r,
  /usr/local/lib/python2.7/ r,
  /usr/local/lib/python2.7/** r,
  /usr/share/pyshared/ r,
  /usr/share/pyshared/** r,
 
  /opt/google/chrome/ r,
  /opt/google/chrome/** m,
  /opt/google/chrome/** rwkl,
 
  /dev/ r,
  /dev/nvidiactl rw,
  /dev/nvidia0 rw,
  /etc/debian_version r,
  /etc/group r,  
  /etc/lsb-release r,
  /etc/gai.conf r,
  /etc/mtab r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/passwd r,
  /etc/xdg/xubuntu/applications/defaults.list r,
  /run/shm/*.google** rw,
  /selinux/ r,
  /var/lib/dbus/machine-id r,
 
  owner @{HOME}/.config/google-chrome/Default/Shortcuts rwk,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.config/google-chrome/ r,
  owner @{HOME}/.config/google-chrome/** rwkl,
  owner @{HOME}/.config/ibus/bus/ rw,
  owner @{HOME}/.cache/google-chrome/Default/Cache/ r,
  owner @{HOME}/.cache/google-chrome/Default/Cache/** rw,
 
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/filesystems r,
  @{PROC}/ r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/*/oom_score_adj rw,
  @{PROC}/sys/kernel/shmmax r,
  @{PROC}/*/task/ r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/status r,
  
 
  # Newer chromium needs these now
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
  /sys/bus/pci/devices/ r,
 
  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
 
  /bin/dash ixr,
  /usr/bin/lsb_release ixr,
  /usr/bin/xdg-open ixr,
  /usr/bin/gnome-open ixr,
  /usr/bin/gvfs-open ixr,
 
  owner @{HOME}/.pki/nssdb/* rwk,
 
  # Libraries Chrome needs
  /usr/lib/x86_64-linux-gnu/pango/*/modules/*.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr,
 
  # For themes
  /usr/share/misc/ r,
  /usr/share/misc/** r,
  /usr/share/glib-2.0/schemas/ r,
  /usr/share/glib-2.0/schemas/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,
 
   # Allow transitions to ourself and our sandbox
  /opt/google/chrome/chrome-sandbox Pxr,
  /opt/google/chrome/google-chrome ixr,
  /opt/google/chrome/chrome ixr,
  /opt/google/chrome/nacl_helper_bootstrap ixr,
 
  /usr/bin/xdg-settings ixr,
  
}
 

Name this file opt.google.chrome.chrome and place it inside the following directory:

/etc/apparmor.d

Here's the sandbox profile:

# Last Modified: Wed Sep 19 08:34:21 2012
#include <tunables/global>
 
/opt/google/chrome/chrome-sandbox {
  # Be fanatical since it is setuid root and don't use an abstraction
    /lib/libgcc_s.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /usr/lib/libstdc++.so* mr,
    /etc/ld.so.cache r,
 
    # Required for dropping into PID namespace. Keep in mind that until the
    # process drops this capability it can escape confinement, but once it
    # drops CAP_SYS_ADMIN we are ok.
    capability sys_admin,
 
    # All of these are for sanely dropping from root and chrooting
    capability chown,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability dac_override,
    capability sys_chroot,
 
    # *Sigh*
    capability sys_ptrace,
 
    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
 
    /opt/google/chrome r,
    /opt/google/chrome/chrome Px,
    /opt/google/chrome/chrome-sandbox r,
 
    owner /tmp/** rw,
}
 

Name this file opt.google.chrome.chrome-sandbox and place it in the same directory.

Now run the following commands:

cd /etc/apparmor.d
sudo aa-enforce opt.google.chrome**
 

Restart chrome and see if it works. If it doesn't work properly, you can edit the AppArmor profile by checking the syslog errors. If you don't want to do that, you can disable the profile:

sudo aa-disable opt.google.chrome**
 

NOTE: If you enable this profile, the only place Chrome will allow you to download files to is /Downloads. Just a heads up.

Let me know if it works.

--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


GoodThread

@pnap.net

Great write-up and nice to see you doing an aa-profile for it. I do have privacy concerns with Google, perhaps a very well constrained aa-profile for Firefox would be usable in this thread too.

Why does Chrome need to call dash with an inherited profile with execute,read rights?

/bin/dash ixr,



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

said by GoodThread :

Great write-up and nice to see you doing an aa-profile for it. I do have privacy concerns with Google, perhaps a very well constrained aa-profile for Firefox would be usable in this thread too.

Ubuntu comes with a default Firefox profile. It is disabled by default. It is probably not as restrictive as it could be. You can create your own from scratch with aa-genprof.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


iwnaut

@telekom.at
reply to KodiacZiller

Does not work for me with latest update (chrome 22) on ubuntu 12.04. I get the following problem:

$ sudo aa-enforce opt.google.chrome**
Setting /etc/apparmor.d/opt.google.chrome.chrome to enforce mode.
Setting /etc/apparmor.d/opt.google.chrome.chrome-sandbox to enforce mode.
cat: /etc/apparmor.d/opt.google.chrome.chrome-sandbox: No such file or directory

Where is the problem?

Thank you very much



iwnaut

@telekom.at
reply to KodiacZiller

Okay got it work (I don't know how, suddenly it worked.). It works very well except one issue: Using chrome without apparmor, cpu usage while playing youtube videos is around 6%, with sandbox mode around 50%. If I disable libpepflashplayer.so plugin cpu usage is around 10%. A fix would be nice. Thank you for your great work!



iwnaut

@telekom.at
reply to KodiacZiller

How to allow plugins located in /usr/lib/mozilla/plugins/ like /usr/lib/mozilla/plugins/libtotem-cone-plugin.so ?



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

said by iwnaut :

How to allow plugins located in /usr/lib/mozilla/plugins/ like /usr/lib/mozilla/plugins/libtotem-cone-plugin.so ?

I have since revamped my profiles for more completeness and protection. I also cover plugins like Totem. Try these profiles:

usr.lib.totem.totem-plugin-viewer

# Last Modified: Thu Sep 27 06:35:40 2012
#include <tunables/global>
 
/usr/lib/totem/totem-plugin-viewer {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
 
  network inet dgram,
  network inet stream,
  network inet6 stream,
 
  
  /etc/apt/apt.conf.d/ r,
  /etc/apt/apt.conf.d/* r,
  /etc/fstab r,
  /etc/gai.conf r,
  /etc/gnome/defaults.list r,
  /etc/gtk-3.0/settings.ini r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/pkcs11/modules/ r,
  /etc/pkcs11/modules/gnome-keyring-module r,
  /etc/python2.7/sitecustomize.py r,
  /etc/resolv.conf r,
  /etc/udev/udev.conf r,
  /etc/wildmidi/wildmidi.cfg r,
  /etc/xml/catalog r,
  /home/*/ r,
  /home/*/.ICEauthority r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/ibus/bus/ w,
  /home/*/.config/totem/state.ini* rw,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.config/yelp/ w,
  /home/*/.gstreamer-*/registry.* rw,
  /home/*/.gtk-bookmarks r,
  /home/*/.icons/ r,
  /home/*/.local/share/applications/mime*.* r,
  /home/*/.local/share/gvfs-metadata/* r,
  /home/*/.local/share/icons/ r,
  /home/*/.local/share/icons/** r,
  /home/*/.local/share/mime/mime.cache r,
  /home/*/.local/share/recently-used.xbel* rw,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.mozilla/firefox/*.default/Cache/** r,
  /home/*/Desktop/ r,
  /home/*/Desktop/* r,
  /home/*/Desktop/Screenshot-* w,
  /proc/[0-9]*/auxv r,
  /proc/[0-9]*/fd/ r,
  /proc/[0-9]*/mountinfo r,
  /proc/[0-9]*/mounts r,
  /run/resolvconf/resolv.conf r,
  /run/udev/data/* r,
  /sys/devices/system/cpu/online r,
  /sys/devices/virtual/block/*/uevent r,
  /tmp/.com.google.Chrome.* r,
  /tmp/.goutputstream-* rw,
  /tmp/orcexec.* mrw,
  /tmp/totem-* rw,
  /tmp/totem-screenshot-*/ w,
  /tmp/totem-screenshot-*/** w,
  /usr/bin/gst-install rix,
  /usr/bin/totem rix,
  /usr/bin/yelp rix,
  /usr/include/python2.7/pyconfig.h r,
  /usr/lib/frei0r-1/ r,
  /usr/lib/gstreamer-*/ r,
  /usr/lib/gstreamer-*/libgst*.so* mr,
  /usr/lib/libgmime-*.so.* mr,
  /usr/lib/libtotem*.so** mr,
  /usr/lib/python2.7/** mr,
  /usr/lib/totem/totem-plugin-viewer r,
  /usr/lib/x86_64-linux-gnu/gstreamer-*/ r,
  /usr/lib/x86_64-linux-gnu/gstreamer-*/libgst*.so* mr,
  /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-ibus.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/*.so mr,
  /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so mr,
  /usr/local/lib/python2.7/dist-packages/ r,
  /usr/share/applications/gnome-mplayer.desktop r,
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/applications/totem.desktop r,
  /usr/share/applications/yelp.desktop r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome/help/totem/** r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/*.monitor r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/libquvi-scripts/lua/util/ r,
  /usr/share/libquvi-scripts/lua/website/ r,
  /usr/share/libquvi-scripts/lua/website/** r,
  /usr/share/midi/freepats/** r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/ r,
  /usr/share/pyshared/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,
  /usr/share/totem/ r,
  /usr/share/totem/** r,
  /usr/share/yelp-xsl/** r,
  /usr/share/yelp/** r,
  /var/cache/apt-xapian-index/** r,
  /var/lib/apt-xapian-index/index r,
  /var/lib/dbus/machine-id r,
 
}
 

broswer_openjdk (place this file in /etc/apparmor.d/abstractions).

# vim:syntax=apparmor
 
  owner @{HOME}/.java/deployment/deployment.properties k,  
 
  /usr/lib/jvm/java-7-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
  /usr/lib/jvm/java-7-openjdk/jre/bin/java rCx -> browser_openjdk,
  /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java rCx -> browser_openjdk,    
  /usr/lib/jvm/java-7-openjdk-*/jre/bin/java rCx -> browser_openjdk,
 
  profile browser_openjdk {
    #include <abstractions/base>
    #include <abstractions/private-files-strict>
 
    network inet stream,
    network inet dgram,
    network inet6 stream,
 
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/ r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/** r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*.so mr,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*/*.so mr,
        
    /usr/lib/jvm/java-7-openjdk-*/jre/bin/java r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/jvm.cfg-default r,
 
    /usr/lib/x86_64-linux-gnu/jni/libatk-wrapper.so.* mr,
    /usr/lib/x86_64-linux-gnu/gconv/SJIS.so mr,
 
    deny /usr/bin/gconftool-2 x,
    deny /anon_hugepage//deleted r,
 
    /etc/fonts/fonts.conf r,
    /etc/fonts/conf.d/ r,
    /etc/fonts/conf.d/** r,
    /etc/fonts/conf.avail/ r,
    /etc/fonts/conf.avail/** r,
    /etc/hosts r,
    /etc/host.conf r,
    /etc/passwd r,
    /etc/ssl/certs/java/cacerts r,
    /etc/java-7-openjdk/ r,
    /etc/java-7-openjdk/** r,    
    /etc/lsb-release r,
    /etc/ld.so.cache r,    
    /etc/nsswitch.conf r,
    /etc/resolv.conf r,
    /etc/timezone r,
 
    /home/ r,
    /home/*/ r,
    /home/*/.cache/dconf/user rw,
    /home/*/.config/dconf/user r,
    /home/*/.config/ibus/bus/ w,
    /home/*/.fontconfig/ r,
    /home/*/.fontconfig/** r,
    /home/*/.fonts/ r,
    /home/*/.fonts/** r,
    /home/*/.java/fonts/ r,
    /home/*/.java/fonts/** rw,
    /home/*/.mozilla/firefox/profiles.ini r,
    /home/*/.icedtea/ r,
    /home/*/.icedtea/** r,
    /home/*/.icedtea/cache/** rwk,
    /home/*/.Xauthority r,
 
    /proc/[0-9]*/ r,
    /proc/[0-9]*/cmdline r,
    /proc/filesystems r,
    /proc/stat r,
    /proc/[0-9]*/coredump_filter rw,
    /proc/cpuinfo r,
    /proc/[0-9]*/maps r,
    /proc/[0-9]*/net/if_inet6 r,
    /proc/[0-9]*/net/ipv6_route r,
    /proc/meminfo r,
 
    /run/resolvconf/resolv.conf r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
    /usr/lib/x86_64-linux-gnu/pango/*/modules/pango*.so m,
    /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/im-ibus.so mr,
 
    /usr/share/icedtea-web/ r,
    /usr/share/icedtea-web/** r,
    /usr/share/java/ r,
    /usr/share/java/** r,
 
    # For fonts, icons, themes, etc.  No abstractions here
    /usr/share/fonts/ r,
    /usr/share/fonts/** r,
    /usr/share/texmf/fonts/ r,
    /usr/share/texmf/fonts/** r,
    /usr/share/icons/ r,
    /usr/share/icons/** r,
    /usr/share/themes/ r,
    /usr/share/themes/** r,
 
    /usr/share/X11/locale/ r,
    /usr/share/X11/locale/** r,
 
    /usr/share/javazi r,
    /usr/share/javazi/** r,
    /usr/share/zoneinfo/ r,
    /usr/share/zoneinfo/** r,
 
   # /tmp stuff.  Again no abstractions
    /tmp/ r,
    /tmp/** rwk,
    /var/tmp/ r,
        
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/online r,
 
    /var/cache/fontconfig/ rw,
    /var/cache/fontconfig/** rw,
 
    /var/lib/dbus/machine-id r,
    /usr/lib/jvm/java-7-openjdk*/jre/bin/java ix,
    /usr/lib/jvm/java-7-openjdk*/jre/lib/i386/client/classes.jsa m,
    /usr/lib/jvm/java-7-openjdk-amd64/bin/java ix,      
 
}
 

opt.google.chrome.google-chrome

# Last Modified: Tue Sep 25 14:16:39 2012
#include <tunables/global>
 
/opt/google/chrome/google-chrome {
  #include <abstractions/base>
  #include <abstractions/bash>
 
  /bin/bash rix,
  /bin/dash r,
  /bin/mkdir rix,
  /bin/readlink rix,
  /bin/which rix,
  /dev/tty rw,
  /opt/google/chrome/chrome Px,
  /opt/google/chrome/google-chrome r,
  /proc/filesystems r,
  /usr/bin/dirname rix,
 
}
 

opt.google.chrome.nacl_helper_bootstrap

# Last Modified: Tue Sep 25 14:16:39 2012
#include <tunables/global>
 
/opt/google/chrome/nacl_helper_bootstrap {
  #include <abstractions/base>
 
  /opt/google/chrome/nacl_helper mr,
  /opt/google/chrome/nacl_helper_bootstrap mr,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
 
}
 

opt.google.chrome.chrome-sandbox

# Last Modified: Tue Sep 25 14:54:59 2012
#include <tunables/global>
 
/opt/google/chrome/chrome-sandbox {
  capability chown,
  capability dac_override,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,
 
  /etc/ld.so.cache r,
  /lib/@{multiarch}/ld-*.so* mr,
  /lib/x86_64-linux-gnu/libc-*.so mr,
  /lib/x86_64-linux-gnu/libpthread-*.so mr,
  /lib{,32,64}/ld-*.so* mr,
  /lib{,32,64}/libc-*.so* mr,
  /lib{,32,64}/libld-*.so* mr,
  /lib{,32,64}/libm-*.so* mr,
  /lib{,32,64}/libpthread-*.so* mr,
  
  /proc/ r,
  /proc/*/fd/ r,
  owner /tmp/** rw,
  @{PROC}/ r,
  @{PROC}/[0-9]*/ r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/oom_adj w,
  @{PROC}/[0-9]*/oom_score_adj w,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
 
  # Transition to main chrome binary
  /opt/google/chrome/chrome rPx,
  /opt/google/chrome/chrome-sandbox r,
 
}
 

opt.google.chrome.chrome

# Last Modified: Sat Sep 29 03:29:29 2012
#include <tunables/global>
 
/opt/google/chrome/chrome {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/browser_openjdk>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nvidia>
 
  network inet dgram,
  network inet stream,
  network inet6 stream,
 
  /bin/which rix,
  /dev/ r,
  /etc/fstab r,
  /etc/gai.conf r,
  /etc/group r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/lsb-release r,
  /etc/mtab r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/python2.7/sitecustomize.py r,
  /etc/resolv.conf r,
  /etc/udev/udev.conf r,
 
  owner /home/*/ r,
  /home/*/.ICEauthority r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw,
  /home/*/.cache/google-chrome/Default/Cache/* rw,
  /home/*/.cache/google-chrome/Default/Media*/* rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/google-chrome/ r,
  /home/*/.config/google-chrome/** rwk,  
  /home/*/.config/ibus/bus/ w,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.fontconfig/* r,
  /home/*/.gksu.lock r,
  /home/*/.goutputstream-* r,
  /home/*/.gtk-bookmarks r,
  /home/*/.icons/ r,
  /home/*/.local/share/icons/ r,
  /home/*/.local/share/icons/** r,
  /home/*/.local/share/mime/* r,
  /home/*/.local/share/recently-used.xbel* rw,
  /home/*/.mozilla/firefox/*.default/compatibility.ini r,
  /home/*/.mozilla/firefox/profiles.ini r,
  /home/*/.nv/GLCache/ r,
  /home/*/.nv/GLCache/** rwk,
  /home/*/.pki/nssdb/* r,
  /home/*/.pki/nssdb/*.db rwk,
  /home/*/.pulse-cookie rwk,
  /home/*/.thumbnails/normal/* r,
  /home/*/.xsession-errors r,
  owner /home/*/Downloads/ r,
  owner /home/*/Downloads/** rw,
  owner /home/*/Public/ r,
  owner /home/*/Public/** r,
 
  /opt/google/chrome/** r,
  /opt/google/chrome/*.so mr,
  /opt/google/chrome/PepperFlash/libpepflashplayer.so mr,
  /opt/google/chrome/chrome mrix,
  /opt/google/chrome/chrome-sandbox rPx,
  /opt/google/chrome/extensions/ rw,
  /opt/google/chrome/google-chrome Px,
  /opt/google/chrome/nacl_helper_bootstrap Px,
  /opt/google/chrome/xdg-settings Cx,
 
  /proc/ r,
  /proc/[0-9]*/cmdline r,
  /proc/[0-9]*/fd/ r,
  /proc/[0-9]*/io r,
  /proc/[0-9]*/maps r,
  /proc/[0-9]*/mounts r,
  /proc/[0-9]*/oom_score_adj w,
  /proc/[0-9]*/stat r,
  /proc/[0-9]*/statm r,
  /proc/[0-9]*/status r,
  /proc/[0-9]*/task/ r,
  /proc/[0-9]*/task/[0-9]*/stat r,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /proc/meminfo r,
  /proc/sys/kernel/shmmax r,
 
  /run/resolvconf/resolv.conf r,
  /run/shm/.com.google.Chrome.* rw,
  /run/shm/com.google.Chrome.shmem.* rw,
 
  /selinux/ r,
 
  /sys/bus/pci/devices/ r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
 
  /tmp/ r,
  /tmp/* mrw,
  /tmp/.com.google.Chrome.*/ rw,
  /tmp/.com.google.Chrome.*/Singleton* w,
  /tmp/CRX_75DAF8CB7768/ rw,
  /tmp/CRX_75DAF8CB7768/* rw,
  /tmp/icedteaplugin-*/[0-9]*-icedteanp-* rw,
  /tmp/icedteaplugin-*/ w,
 
  /usr/bin/gnome-mplayer Px,
  /usr/bin/lsb_release rix,
  /usr/bin/python2.7 r,
  /usr/bin/xdg-open Cx,
  /usr/bin/xdg-settings Cx,
 
  /usr/include/python2.7/pyconfig.h r,
  /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so mr,
  /usr/lib/mozilla/plugins/gecko-mediaplayer-*.so mr,
  /usr/lib/mozilla/plugins/gecko-mediaplayer.so mr,
  /usr/lib/totem/totem-plugin-viewer Px,
  /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr,
  /usr/local/lib/python2.7/dist-packages/ r,
 
  /usr/share/X11/XErrorDB r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/** r,
  /usr/share/misc/pci.ids r,
  /usr/share/pixmaps/ r,
  /usr/share/pyshared/* r,
  /usr/share/themes/** r,
 
  /var/tmp/ r,
  /var/tmp/* rw,
 
  owner /{run,dev}/shm/pulse-shm* k,
  /{run,dev}/shm/pulse-shm* rw,
 
  profile /opt/google/chrome/xdg-settings {
 
    /bin/dash r,
    /bin/grep rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/which rix,
    /dev/null w,
    /etc/gnome/defaults.list r,
    /etc/ld.so.cache r,
    /etc/locale.alias r,
    /home/*/.local/share/applications/google-chrome.desktop r,
    /home/*/.local/share/applications/mimeapps.list r,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /lib/x86_64-linux-gnu/libdl-*.so mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libselinux.so.* mr,
    /opt/google/chrome/xdg-settings r,
    /proc/*/maps r,
    /proc/filesystems r,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/gawk rix,
    /usr/bin/mawk rix,
    /usr/bin/xdg-mime rix,
    /usr/lib/libsigsegv.so.* mr,
    /usr/lib/locale/** r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
 
  }
 
  profile /usr/bin/xdg-open {
    #include <abstractions/base>
 
    /bin/dash r,
    /etc/gnome/defaults.list r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /home/*/.local/share/applications/mimeapps.list r,
    /home/*/.local/share/applications/mimeinfo.cache r,
    /home/*/.local/share/mime/* r,
    /proc/*/fd/ r,
    /usr/bin/evince Px,
    /usr/bin/gnome-open rix,
    /usr/bin/gvfs-open rix,
    /usr/bin/transmission-gtk Px,
    /usr/bin/xdg-open r,
    /usr/share/applications/*.desktop r,
    /usr/share/applications/evince.desktop r,
    /usr/share/applications/gimp.desktop r,
    /usr/share/applications/mimeinfo.cache r,
    /usr/share/mime/* r,
 
  }
 
  profile /usr/bin/xdg-settings {
 
    /bin/cat rix,
    /bin/dash r,
    /bin/grep rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/which rix,
    /dev/null w,
    /etc/gnome/defaults.list r,
    /etc/ld.so.cache r,
    /etc/locale.alias r,
    /home/*/.local/share/applications/google-chrome.desktop r,
    /home/*/.local/share/applications/mimeapps.list r,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /lib/x86_64-linux-gnu/libdbus-1.so.* mr,
    /lib/x86_64-linux-gnu/libdl-*.so mr,
    /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,
    /lib/x86_64-linux-gnu/libm-*.so mr,
    /lib/x86_64-linux-gnu/libpcre.so.* mr,
    /lib/x86_64-linux-gnu/libpthread-*.so mr,
    /lib/x86_64-linux-gnu/libresolv-*.so mr,
    /lib/x86_64-linux-gnu/librt-*.so mr,
    /lib/x86_64-linux-gnu/libselinux.so.* mr,
    /lib/x86_64-linux-gnu/libz.so.* mr,
    /proc/[0-9]*/maps r,
    /proc/filesystems r,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/gawk rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/mawk rix,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-settings r,
    /usr/lib/libsigsegv.so.* mr,
    /usr/lib/locale/** r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
    /usr/lib/x86_64-linux-gnu/libffi.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgconf-2.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgio-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.* mr,
    /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,
 
  }
}
 

Be sure to put "browser_openjdk" in the abstractions directory. After that, simply run:

 sudo aa-enforce opt.google.chrome* usr.lib.totem*
 

You may ask why so many profiles? Well i feel it is best to sandbox each part of Chrome separately so that I can enforce POLA as much as possible. Moreover, I put a few child profiles inside the main Chrome profile for the same reason.

--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999