---- a/data/apparmor/abstractions/lightdm
-+++ b/data/apparmor/abstractions/lightdm
-@@ -11,7 +11,6 @@
- #include <abstractions/cups-client>
- #include <abstractions/dbus>
- #include <abstractions/dbus-session>
-- #include <abstractions/dbus-accessibility>
- #include <abstractions/nameservice>
- #include <abstractions/wutmp>
- /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
-@@ -74,10 +73,11 @@
- capability ipc_lock,
+--- a/data/apparmor/abstractions/lightdm_chromium-browser
++++ b/data/apparmor/abstractions/lightdm_chromium-browser
+@@ -10,6 +10,7 @@
+
+ # Requires apparmor 2.9
- # allow processes in the guest session to signal and ptrace each other
-- signal peer=@{profile_name},
-- ptrace peer=@{profile_name},
-- # needed when logging out of the guest session
-- signal (receive) peer=unconfined,
-+ # this doesn't work with the current Debian apparmor
-+ #signal peer=@{profile_name},
-+ #ptrace peer=@{profile_name},
-+ ## needed when logging out of the guest session
-+ #signal (receive) peer=unconfined,
++ /usr/lib/chromium/chromium Cx -> chromium,
+ /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+ /usr/bin/webapp-container Cx -> chromium,
+ /usr/bin/webbrowser-app Cx -> chromium,
+@@ -68,6 +69,7 @@
- # silence warnings for stuff that we really don't want to grant
- deny capability dac_override,
+ /selinux/ r,
+
++ /usr/lib/chromium/chrome-sandbox ix,
+ /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+ /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+ /opt/google/chrome-*/chrome-sandbox ix,
+--- a/data/apparmor/abstractions/lightdm
++++ b/data/apparmor/abstractions/lightdm
+@@ -32,7 +32,7 @@
+ owner /dev/shm/** rmw,
+ /etc/ r,
+ /etc/** rmk,
+- /etc/gdm/Xsession ix,
++ /etc/X11/Xsession ix,
+ /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
+ /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
+ /lib/ r,
projects / sojka / debian / lightdm.git / blobdiff