2 # Profile abstraction for restricting chromium in the lightdm guest session
3 # Author: Jamie Strandboge <jamie@canonical.com>
5 # The abstraction provides the additional accesses required to launch
6 # chromium based browsers from within an lightdm session. Because AppArmor
7 # cannot yet merge profiles and because we want to utilize the access rules
8 # provided in abstractions/lightdm, this abstraction must be separate from
9 # abstractions/lightdm.
11 # Requires apparmor 2.9
13 /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
14 /usr/bin/webapp-container Cx -> chromium,
15 /usr/bin/webbrowser-app Cx -> chromium,
16 /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
17 /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
18 /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
19 /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
20 /opt/google/chrome/google-chrome Cx -> chromium,
22 # Allow ptracing processes in the chromium child profile
23 ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
25 # Allow receiving and sending signals to processes in the chromium child profile
26 signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
28 # Allow communications with chromium child profile via unix sockets
29 unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
32 # Allow all the same accesses as other applications in the guest session
33 #include <abstractions/lightdm>
35 # but also allow a few things because of chromium-browser's sandboxing that
36 # are not appropriate to other guest session applications.
37 owner @{PROC}/[0-9]*/oom_{,score_}adj w,
38 @{PROC}/sys/kernel/shmmax r,
39 capability sys_admin, # for sandbox to change namespaces
40 capability sys_chroot, # fod sandbox to chroot to a safe directory
41 capability setgid, # for sandbox to drop privileges
42 capability setuid, # for sandbox to drop privileges
43 capability sys_ptrace, # chromium needs this to keep track of itself
44 @{PROC}/sys/kernel/yama/ptrace_scope r,
46 # Allow ptrace reads of processes in the lightdm-guest-session
47 ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
48 # Allow other guest session processes to read and trace us
49 ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
50 ptrace (readby, tracedby) peer=@{profile_name},
52 # Allow us to receive and send signals from processes in the
53 # lightdm-guest-session
54 signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
56 # Allow us to receive and send on unix sockets from processes in the
57 # lightdm-guest-session
58 unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
60 @{PROC}/[0-9]*/ r, # sandbox wants these
61 @{PROC}/[0-9]*/fd/ r, # sandbox wants these
62 @{PROC}/[0-9]*/statm r, # sandbox wants these
63 @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
65 owner @{PROC}/@{pid}/setgroups w,
66 owner @{PROC}/@{pid}/uid_map w,
67 owner @{PROC}/@{pid}/gid_map w,
71 /usr/lib/chromium-browser/chromium-browser-sandbox ix,
72 /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
73 /opt/google/chrome-*/chrome-sandbox ix,