2 # Profile abstraction for restricting chromium-browser in the lightdm guest session
3 # Author: Jamie Strandboge <jamie@canonical.com>
5 # The abstraction provides the additional accesses required to launch
6 # chromium-browser from within an lightdm session. Because AppArmor cannot yet
7 # merge profiles and because we want to utilize the access rules provided in
8 # abstractions/lightdm, this abstraction must be separate from
9 # abstractions/lightdm.
11 /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
12 profile chromium_browser {
13 # Allow all the same accesses as other applications in the guest session
14 #include <abstractions/lightdm>
16 # but also allow a few things because of chromium-browser's sandboxing that
17 # are not appropriate to other guest session applications.
18 owner @{PROC}/[0-9]*/oom_{,score_}adj w,
19 @{PROC}/sys/kernel/shmmax r,
20 capability sys_admin, # for sandbox to change namespaces
21 capability sys_chroot, # fod sandbox to chroot to a safe directory
22 capability setgid, # for sandbox to drop privileges
23 capability setuid, # for sandbox to drop privileges
24 capability sys_ptrace, # chromium needs this to keep track of itself
26 @{PROC}/[0-9]*/ r, # sandbox wants these
27 @{PROC}/[0-9]*/fd/ r, # sandbox wants these
28 @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
32 /usr/lib/chromium-browser/chromium-browser-sandbox ix,