Apparmor For Xchat

Xchat is a popular IRC program for Linux/Windows. It hasn’t been updated in a long long time though, so any vulnerabilities discovered months ago will still work today. Due to the lack of patching, and the fact that this program directly interacts with the internet, I’ve set up a strict apparmor profile. The profile uses no abstractions to avoid any unnecessary rights. By creating an Apparmor profile for Xchat we make vulnerabilities more difficult to exploit, and we make the benefit of compromising it lower.

I’ve only tested this on Freenode IRC. This should work on 64bit.

# Last Modified: Sun Dec 16 01:42:36 2012
#include <tunables/global>

/usr/bin/xchat {
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
/dev/urandom r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/host.conf r,
/etc/hosts r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/python2.7/sitecustomize.py r,
/home/*/.Xauthority r,
/home/*/.config/dconf/user r,
/home/*/.config/enchant/ r,
/home/*/.config/enchant/*.dic rwk,
/home/*/.config/enchant/*.exc rwk,
/home/*/.xchat2/ r,
/home/*/.xchat2/** rw,
/lib/libnss_mdns4.so* mr,
/lib/libnss_mdns4_minimal.so* mr,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libcrypt-*.so mr,
/lib/x86_64-linux-gnu/libcrypto.so* mr,
/lib/x86_64-linux-gnu/libdbus-*.so* mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libexpat.so* mr,
/lib/x86_64-linux-gnu/libgcc_s.so* mr,
/lib/x86_64-linux-gnu/libglib-*.so* mr,
/lib/x86_64-linux-gnu/liblzma.so* mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libnsl-*.so mr,
/lib/x86_64-linux-gnu/libnss_compat-*.so mr,
/lib/x86_64-linux-gnu/libnss_dns-*.so mr,
/lib/x86_64-linux-gnu/libnss_files-*.so mr,
/lib/x86_64-linux-gnu/libnss_nis-*.so mr,
/lib/x86_64-linux-gnu/libpcre.so* mr,
/lib/x86_64-linux-gnu/libpng*.so* mr,
/lib/x86_64-linux-gnu/libpthread-*.so mr,
/lib/x86_64-linux-gnu/libresolv-*.so mr,
/lib/x86_64-linux-gnu/librt-*.so mr,
/lib/x86_64-linux-gnu/libselinux.so* mr,
/lib/x86_64-linux-gnu/libssl.so* mr,
/lib/x86_64-linux-gnu/libudev.so.* mr,
/lib/x86_64-linux-gnu/libutil-*.so mr,
/lib/x86_64-linux-gnu/libz.so* mr,
/proc/filesystems r,
/proc/meminfo r,
/run/resolvconf/resolv.conf r,
/run/user/*/dconf/user rw,
/sys/devices/system/cpu/online r,
/usr/bin/xchat mr,
/usr/lib/aspell/ r,
/usr/lib/enchant/ r,
/usr/lib/enchant/libenchant_aspell.so mr,
/usr/lib/enchant/libenchant_hspell.so mr,
/usr/lib/enchant/libenchant_ispell.so mr,
/usr/lib/enchant/libenchant_myspell.so mr,
/usr/lib/libaspell.so* mr,
/usr/lib/libenchant.so* mr,
/usr/lib/libperl.so* mr,
/usr/lib/libpython*.so* mr,
/usr/lib/libsexy.so* mr,
/usr/lib/libtcl*.so* mr,
/usr/lib/locale/ r,
/usr/lib/locale/locale-archive r,
/usr/lib/python2.7/UserDict.py r,
/usr/lib/python2.7/UserDict.pyc r,
/usr/lib/python2.7/_abcoll.py r,
/usr/lib/python2.7/_abcoll.pyc r,
/usr/lib/python2.7/_sysconfigdata.py r,
/usr/lib/python2.7/_sysconfigdata.pyc r,
/usr/lib/python2.7/_sysconfigdata_nd.py r,
/usr/lib/python2.7/_sysconfigdata_nd.pyc r,
/usr/lib/python2.7/_weakrefset.py r,
/usr/lib/python2.7/_weakrefset.pyc r,
/usr/lib/python2.7/abc.py r,
/usr/lib/python2.7/abc.pyc r,
/usr/lib/python2.7/codecs.py r,
/usr/lib/python2.7/codecs.pyc r,
/usr/lib/python2.7/copy_reg.py r,
/usr/lib/python2.7/copy_reg.pyc r,
/usr/lib/python2.7/dist-packages/ r,
/usr/lib/python2.7/dist-packages/apport_python_hook.pyc r,
/usr/lib/python2.7/encodings/__init__.py r,
/usr/lib/python2.7/encodings/__init__.pyc r,
/usr/lib/python2.7/encodings/aliases.py r,
/usr/lib/python2.7/encodings/aliases.pyc r,
/usr/lib/python2.7/encodings/utf_8.py r,
/usr/lib/python2.7/encodings/utf_8.pyc r,
/usr/lib/python2.7/fnmatch.py r,
/usr/lib/python2.7/fnmatch.pyc r,
/usr/lib/python2.7/genericpath.py r,
/usr/lib/python2.7/genericpath.pyc r,
/usr/lib/python2.7/glob.py r,
/usr/lib/python2.7/glob.pyc r,
/usr/lib/python2.7/linecache.py r,
/usr/lib/python2.7/linecache.pyc r,
/usr/lib/python2.7/os.py r,
/usr/lib/python2.7/os.pyc r,
/usr/lib/python2.7/posixpath.py r,
/usr/lib/python2.7/posixpath.pyc r,
/usr/lib/python2.7/re.py r,
/usr/lib/python2.7/re.pyc r,
/usr/lib/python2.7/site.py r,
/usr/lib/python2.7/site.pyc r,
/usr/lib/python2.7/sitecustomize.pyc r,
/usr/lib/python2.7/sre_compile.py r,
/usr/lib/python2.7/sre_compile.pyc r,
/usr/lib/python2.7/sre_constants.py r,
/usr/lib/python2.7/sre_constants.pyc r,
/usr/lib/python2.7/sre_parse.py r,
/usr/lib/python2.7/sre_parse.pyc r,
/usr/lib/python2.7/stat.py r,
/usr/lib/python2.7/stat.pyc r,
/usr/lib/python2.7/sysconfig.py r,
/usr/lib/python2.7/sysconfig.pyc r,
/usr/lib/python2.7/traceback.py r,
/usr/lib/python2.7/traceback.pyc r,
/usr/lib/python2.7/types.py r,
/usr/lib/python2.7/types.pyc r,
/usr/lib/python2.7/warnings.py r,
/usr/lib/python2.7/warnings.pyc r,
/usr/lib/x86_64-linux-gnu/gconv/CP*.so mr,
/usr/lib/x86_64-linux-gnu/gconv/ISO*-*.so mr,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders.cache mr,
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders/libpixbufloader-svg.so* mr,
/usr/lib/x86_64-linux-gnu/gio/modules/ r,
/usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so mr,
/usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so mr,
/usr/lib/x86_64-linux-gnu/gtk-*/*/engines/libmurrine.so mr,
/usr/lib/x86_64-linux-gnu/gtk-*/*/gtk.immodules r,
/usr/lib/x86_64-linux-gnu/gtk-*/*/immodules/im-ibus.so mr,
/usr/lib/x86_64-linux-gnu/gtk-*/*/menuproxies/libappmenu.so mr,
/usr/lib/x86_64-linux-gnu/gtk-*/modules/libcanberra-gtk-module.so mr,
/usr/lib/x86_64-linux-gnu/gtk-*/modules/liboverlay-scrollbar.so mr,
/usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
/usr/lib/x86_64-linux-gnu/libX11.so* mr,
/usr/lib/x86_64-linux-gnu/libXau.so* mr,
/usr/lib/x86_64-linux-gnu/libXcomposite.so* mr,
/usr/lib/x86_64-linux-gnu/libXcompositeso.* mr,
/usr/lib/x86_64-linux-gnu/libXcursor.so* mr,
/usr/lib/x86_64-linux-gnu/libXdamage.so* mr,
/usr/lib/x86_64-linux-gnu/libXdmcp.so* mr,
/usr/lib/x86_64-linux-gnu/libXext.so* mr,
/usr/lib/x86_64-linux-gnu/libXfixes.so* mr,
/usr/lib/x86_64-linux-gnu/libXi.so* mr,
/usr/lib/x86_64-linux-gnu/libXinerama.so* mr,
/usr/lib/x86_64-linux-gnu/libXrandr.so* mr,
/usr/lib/x86_64-linux-gnu/libXrender.so* mr,
/usr/lib/x86_64-linux-gnu/libatk-*.so* mr,
/usr/lib/x86_64-linux-gnu/libcairo.so* mr,
/usr/lib/x86_64-linux-gnu/libcanberra-gtk.so* mr,
/usr/lib/x86_64-linux-gnu/libcanberra.so* mr,
/usr/lib/x86_64-linux-gnu/libcroco-*.so* mr,
/usr/lib/x86_64-linux-gnu/libdbus-glib-*.so* mr,
/usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,
/usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so* mr,
/usr/lib/x86_64-linux-gnu/libffi.so* mr,
/usr/lib/x86_64-linux-gnu/libfontconfig.so* mr,
/usr/lib/x86_64-linux-gnu/libfreetype.so* mr,
/usr/lib/x86_64-linux-gnu/libgdk-x11-*.so* mr,
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so* mr,
/usr/lib/x86_64-linux-gnu/libgio-*.so* mr,
/usr/lib/x86_64-linux-gnu/libgmodule-*.so* mr,
/usr/lib/x86_64-linux-gnu/libgobject-*.so* mr,
/usr/lib/x86_64-linux-gnu/libgtk-x11-*.so* mr,
/usr/lib/x86_64-linux-gnu/libhunspell-*.so* mr,
/usr/lib/x86_64-linux-gnu/libibus-*.so* mr,
/usr/lib/x86_64-linux-gnu/libltdl.so* mr,
/usr/lib/x86_64-linux-gnu/libogg.so* mr,
/usr/lib/x86_64-linux-gnu/libpango-*.so* mr,
/usr/lib/x86_64-linux-gnu/libpangocairo-*.so* mr,
/usr/lib/x86_64-linux-gnu/libpangoft2-*.so* mr,
/usr/lib/x86_64-linux-gnu/libpixman-*.so* mr,
/usr/lib/x86_64-linux-gnu/librsvg-*.so* mr,
/usr/lib/x86_64-linux-gnu/libstdc*.so* mr,
/usr/lib/x86_64-linux-gnu/libtdb.so* mr,
/usr/lib/x86_64-linux-gnu/libvorbis.so* mr,
/usr/lib/x86_64-linux-gnu/libvorbisfile.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb-render.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb-shm.so* mr,
/usr/lib/x86_64-linux-gnu/libxcb.so* mr,
/usr/lib/x86_64-linux-gnu/libxml*.so* mr,
/usr/lib/x86_64-linux-gnu/pango/*/module-files.d/ r,
/usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango*.modules r,
/usr/lib/x86_64-linux-gnu/pango/*/modules/pango-basic-fc.so mr,
/usr/lib/x86_64-linux-gnu/pango/*/modules/pango-indic-fc.so* mr,
/usr/lib/x86_64-linux-gnu/pango/*/modules/pango-indic-lang.so* mr,
/usr/lib/xchat/plugins/ r,
/usr/lib/xchat/plugins/*.so* mr,
/usr/local/lib/python2.7/dist-packages/ r,
/usr/local/share/fonts/ r,
/usr/share/ r,
/usr/share/** r,
/var/cache/fontconfig/*.cache* mr,
/var/lib/dbus/machine-id r,

}

One thought on “Apparmor For Xchat

  1. Pingback: Hardening Ubuntu Linux » InsanityBit InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *