# vim:syntax=apparmor
-# Profile abstraction for restricting chromium-browser in the lightdm guest session
+# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <jamie@canonical.com>
# The abstraction provides the additional accesses required to launch
-# chromium-browser from within an lightdm session. Because AppArmor cannot yet
-# merge profiles and because we want to utilize the access rules provided in
-# abstractions/lightdm, this abstraction must be separate from
+# chromium based browsers from within an lightdm session. Because AppArmor
+# cannot yet merge profiles and because we want to utilize the access rules
+# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
- /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
- profile chromium_browser {
+ /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+ /usr/bin/webapp-container Cx -> chromium,
+ /usr/bin/webbrowser-app Cx -> chromium,
+ /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
+ /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
+ /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
+ /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
+
+ # Allow ptracing processes in the chromium child profile
+ ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+ # Allow receiving and sending signals to processes in the chromium child profile
+ signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+ profile chromium {
# Allow all the same accesses as other applications in the guest session
#include <abstractions/lightdm>
capability setgid, # for sandbox to drop privileges
capability setuid, # for sandbox to drop privileges
capability sys_ptrace, # chromium needs this to keep track of itself
+ @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+ # Allow ptrace reads of processes in the lightdm-guest-session
+ ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
+ # Allow other guest session processes to read and trace us
+ ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
+ ptrace (readby, tracedby) peer=@{profile_name},
+
+ # Allow us to receive and send signals from processes in the
+ # lightdm-guest-session
+ signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
/selinux/ r,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
+ /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+ /opt/google/chrome-*/chrome-sandbox ix,
}
+++ /dev/null
-Author: Jamie Strandboge <jamie@canonical.com>
-Description: allow oxide based browsers and Google Chrome to run in the guest
- session
-Bug-Ubuntu: https://launchpad.net/bugs/1298021
-Bug-Ubuntu: https://launchpad.net/bugs/1306560
-
-Index: lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser
-===================================================================
---- lightdm-1.10.0.orig/data/apparmor/abstractions/lightdm_chromium-browser 2014-04-11 10:57:59.566526276 -0500
-+++ lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser 2014-04-11 10:58:17.026755558 -0500
-@@ -1,15 +1,28 @@
- # vim:syntax=apparmor
--# Profile abstraction for restricting chromium-browser in the lightdm guest session
-+# Profile abstraction for restricting chromium in the lightdm guest session
- # Author: Jamie Strandboge <jamie@canonical.com>
-
- # The abstraction provides the additional accesses required to launch
--# chromium-browser from within an lightdm session. Because AppArmor cannot yet
--# merge profiles and because we want to utilize the access rules provided in
--# abstractions/lightdm, this abstraction must be separate from
-+# chromium based browsers from within an lightdm session. Because AppArmor
-+# cannot yet merge profiles and because we want to utilize the access rules
-+# provided in abstractions/lightdm, this abstraction must be separate from
- # abstractions/lightdm.
-
-- /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
-- profile chromium_browser {
-+ /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
-+ /usr/bin/webapp-container Cx -> chromium,
-+ /usr/bin/webbrowser-app Cx -> chromium,
-+ /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
-+ /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
-+ /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
-+ /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
-+
-+ # Allow ptracing processes in the chromium child profile
-+ ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
-+
-+ # Allow receiving and sending signals to processes in the chromium child profile
-+ signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
-+
-+ profile chromium {
- # Allow all the same accesses as other applications in the guest session
- #include <abstractions/lightdm>
-
-@@ -22,6 +35,17 @@
- capability setgid, # for sandbox to drop privileges
- capability setuid, # for sandbox to drop privileges
- capability sys_ptrace, # chromium needs this to keep track of itself
-+ @{PROC}/sys/kernel/yama/ptrace_scope r,
-+
-+ # Allow ptrace reads of processes in the lightdm-guest-session
-+ ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
-+ # Allow other guest session processes to read and trace us
-+ ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
-+ ptrace (readby, tracedby) peer=@{profile_name},
-+
-+ # Allow us to receive and send signals from processes in the
-+ # lightdm-guest-session
-+ signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
-
- @{PROC}/[0-9]*/ r, # sandbox wants these
- @{PROC}/[0-9]*/fd/ r, # sandbox wants these
-@@ -30,4 +54,6 @@
- /selinux/ r,
-
- /usr/lib/chromium-browser/chromium-browser-sandbox ix,
-+ /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
-+ /opt/google/chrome-*/chrome-sandbox ix,
- }