Apply debian/patches/06_apparmor-unix.patch, make note that this requires Apparmor 2.9

[sojka/lightdm.git] / data / apparmor / abstractions / lightdm_chromium-browser

diff --git a/data/apparmor/abstractions/lightdm_chromium-browser b/data/apparmor/abstractions/lightdm_chromium-browser
index 9f3671bd4ab4310c567e74c7c8e21361c80d464b..9908969318b1f266cb16d7bfd2d822de300e84a6 100644 (file)
--- a/data/apparmor/abstractions/lightdm_chromium-browser
+++ b/data/apparmor/abstractions/lightdm_chromium-browser
@@ -8,6 +8,8 @@
 # provided in abstractions/lightdm, this abstraction must be separate from
 # abstractions/lightdm.
 
+# Requires apparmor 2.9
+
   /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
   /usr/bin/webapp-container Cx -> chromium,
   /usr/bin/webbrowser-app Cx -> chromium,
@@ -23,6 +25,9 @@
   # Allow receiving and sending signals to processes in the chromium child profile
   signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
 
+  # Allow communications with chromium child profile via unix sockets
+  unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
+
   profile chromium {
     # Allow all the same accesses as other applications in the guest session
     #include <abstractions/lightdm>
@@ -48,6 +53,10 @@
     # lightdm-guest-session
     signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
 
+    # Allow us to receive and send on unix sockets from processes in the
+    # lightdm-guest-session
+    unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
+
     @{PROC}/[0-9]*/ r,                 # sandbox wants these
     @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
     @{PROC}/[0-9]*/statm r,            # sandbox wants these