2 # Profile abstraction for restricting chromium in the lightdm guest session
3 # Author: Jamie Strandboge <jamie@canonical.com>
5 # The abstraction provides the additional accesses required to launch
6 # chromium based browsers from within an lightdm session. Because AppArmor
7 # cannot yet merge profiles and because we want to utilize the access rules
8 # provided in abstractions/lightdm, this abstraction must be separate from
9 # abstractions/lightdm.
11 /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
12 /usr/bin/webapp-container Cx -> chromium,
13 /usr/bin/webbrowser-app Cx -> chromium,
14 /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
15 /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
16 /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
17 /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
18 /opt/google/chrome/google-chrome Cx -> chromium,
20 # Allow ptracing processes in the chromium child profile
21 ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
23 # Allow receiving and sending signals to processes in the chromium child profile
24 signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
27 # Allow all the same accesses as other applications in the guest session
28 #include <abstractions/lightdm>
30 # but also allow a few things because of chromium-browser's sandboxing that
31 # are not appropriate to other guest session applications.
32 owner @{PROC}/[0-9]*/oom_{,score_}adj w,
33 @{PROC}/sys/kernel/shmmax r,
34 capability sys_admin, # for sandbox to change namespaces
35 capability sys_chroot, # fod sandbox to chroot to a safe directory
36 capability setgid, # for sandbox to drop privileges
37 capability setuid, # for sandbox to drop privileges
38 capability sys_ptrace, # chromium needs this to keep track of itself
39 @{PROC}/sys/kernel/yama/ptrace_scope r,
41 # Allow ptrace reads of processes in the lightdm-guest-session
42 ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
43 # Allow other guest session processes to read and trace us
44 ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
45 ptrace (readby, tracedby) peer=@{profile_name},
47 # Allow us to receive and send signals from processes in the
48 # lightdm-guest-session
49 signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
51 @{PROC}/[0-9]*/ r, # sandbox wants these
52 @{PROC}/[0-9]*/fd/ r, # sandbox wants these
53 @{PROC}/[0-9]*/statm r, # sandbox wants these
54 @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
58 /usr/lib/chromium-browser/chromium-browser-sandbox ix,
59 /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
60 /opt/google/chrome-*/chrome-sandbox ix,