--- /dev/null
+Author: Jamie Strandboge <jamie@canonical.com>
+Description: allow oxide based browsers and Google Chrome to run in the guest
+ session
+Bug-Ubuntu: https://launchpad.net/bugs/1298021
+Bug-Ubuntu: https://launchpad.net/bugs/1306560
+
+Index: lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser
+===================================================================
+--- lightdm-1.10.0.orig/data/apparmor/abstractions/lightdm_chromium-browser 2014-04-11 10:57:59.566526276 -0500
++++ lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser 2014-04-11 10:58:17.026755558 -0500
+@@ -1,15 +1,28 @@
+ # vim:syntax=apparmor
+-# Profile abstraction for restricting chromium-browser in the lightdm guest session
++# Profile abstraction for restricting chromium in the lightdm guest session
+ # Author: Jamie Strandboge <jamie@canonical.com>
+
+ # The abstraction provides the additional accesses required to launch
+-# chromium-browser from within an lightdm session. Because AppArmor cannot yet
+-# merge profiles and because we want to utilize the access rules provided in
+-# abstractions/lightdm, this abstraction must be separate from
++# chromium based browsers from within an lightdm session. Because AppArmor
++# cannot yet merge profiles and because we want to utilize the access rules
++# provided in abstractions/lightdm, this abstraction must be separate from
+ # abstractions/lightdm.
+
+- /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
+- profile chromium_browser {
++ /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
++ /usr/bin/webapp-container Cx -> chromium,
++ /usr/bin/webbrowser-app Cx -> chromium,
++ /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
++ /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
++ /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
++ /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
++
++ # Allow ptracing processes in the chromium child profile
++ ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
++
++ # Allow receiving and sending signals to processes in the chromium child profile
++ signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
++
++ profile chromium {
+ # Allow all the same accesses as other applications in the guest session
+ #include <abstractions/lightdm>
+
+@@ -22,6 +35,17 @@
+ capability setgid, # for sandbox to drop privileges
+ capability setuid, # for sandbox to drop privileges
+ capability sys_ptrace, # chromium needs this to keep track of itself
++ @{PROC}/sys/kernel/yama/ptrace_scope r,
++
++ # Allow ptrace reads of processes in the lightdm-guest-session
++ ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
++ # Allow other guest session processes to read and trace us
++ ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
++ ptrace (readby, tracedby) peer=@{profile_name},
++
++ # Allow us to receive and send signals from processes in the
++ # lightdm-guest-session
++ signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
+
+ @{PROC}/[0-9]*/ r, # sandbox wants these
+ @{PROC}/[0-9]*/fd/ r, # sandbox wants these
+@@ -30,4 +54,6 @@
+ /selinux/ r,
+
+ /usr/lib/chromium-browser/chromium-browser-sandbox ix,
++ /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
++ /opt/google/chrome-*/chrome-sandbox ix,
+ }
projects / sojka / lightdm.git / commitdiff