From: Robert Ancell <robert.ancell@canonical.com>
Date: Sun, 13 Apr 2014 21:33:12 +0000 (+1200)
Subject: Apply debian/patches/06_apparmor_chromium_updates.patch to checked in code
X-Git-Url: https://rtime.felk.cvut.cz/gitweb/sojka/lightdm.git/commitdiff_plain/c11d27556143d5ff84f32ed67b78598e1b15eced

Apply debian/patches/06_apparmor_chromium_updates.patch to checked in code
---

diff --git a/data/apparmor/abstractions/lightdm_chromium-browser b/data/apparmor/abstractions/lightdm_chromium-browser
index cb4878f8..fd9c94d3 100644
--- a/data/apparmor/abstractions/lightdm_chromium-browser
+++ b/data/apparmor/abstractions/lightdm_chromium-browser
@@ -1,15 +1,28 @@
 # vim:syntax=apparmor
-# Profile abstraction for restricting chromium-browser in the lightdm guest session
+# Profile abstraction for restricting chromium in the lightdm guest session
 # Author: Jamie Strandboge <jamie@canonical.com>
 
 # The abstraction provides the additional accesses required to launch
-# chromium-browser from within an lightdm session. Because AppArmor cannot yet
-# merge profiles and because we want to utilize the access rules provided in
-# abstractions/lightdm, this abstraction must be separate from
+# chromium based browsers from within an lightdm session. Because AppArmor
+# cannot yet merge profiles and because we want to utilize the access rules
+# provided in abstractions/lightdm, this abstraction must be separate from
 # abstractions/lightdm.
 
-  /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
-  profile chromium_browser {
+  /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+  /usr/bin/webapp-container Cx -> chromium,
+  /usr/bin/webbrowser-app Cx -> chromium,
+  /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
+  /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
+  /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
+  /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
+
+  # Allow ptracing processes in the chromium child profile
+  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+  # Allow receiving and sending signals to processes in the chromium child profile
+  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+
+  profile chromium {
     # Allow all the same accesses as other applications in the guest session
     #include <abstractions/lightdm>
 
@@ -22,6 +35,17 @@
     capability setgid,     # for sandbox to drop privileges
     capability setuid,     # for sandbox to drop privileges
     capability sys_ptrace, # chromium needs this to keep track of itself
+    @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+    # Allow ptrace reads of processes in the lightdm-guest-session
+    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
+    # Allow other guest session processes to read and trace us
+    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
+    ptrace (readby, tracedby) peer=@{profile_name},
+
+    # Allow us to receive and send signals from processes in the
+    # lightdm-guest-session
+    signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
 
     @{PROC}/[0-9]*/ r,                 # sandbox wants these
     @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
@@ -30,4 +54,6 @@
     /selinux/ r,
 
     /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+    /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+    /opt/google/chrome-*/chrome-sandbox ix,
   }
diff --git a/debian/patches/06_apparmor_chromium_updates.patch b/debian/patches/06_apparmor_chromium_updates.patch
deleted file mode 100644
index eb76365a..00000000
--- a/debian/patches/06_apparmor_chromium_updates.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Author: Jamie Strandboge <jamie@canonical.com>
-Description: allow oxide based browsers and Google Chrome to run in the guest
- session
-Bug-Ubuntu: https://launchpad.net/bugs/1298021
-Bug-Ubuntu: https://launchpad.net/bugs/1306560
-
-Index: lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser
-===================================================================
---- lightdm-1.10.0.orig/data/apparmor/abstractions/lightdm_chromium-browser	2014-04-11 10:57:59.566526276 -0500
-+++ lightdm-1.10.0/data/apparmor/abstractions/lightdm_chromium-browser	2014-04-11 10:58:17.026755558 -0500
-@@ -1,15 +1,28 @@
- # vim:syntax=apparmor
--# Profile abstraction for restricting chromium-browser in the lightdm guest session
-+# Profile abstraction for restricting chromium in the lightdm guest session
- # Author: Jamie Strandboge <jamie@canonical.com>
- 
- # The abstraction provides the additional accesses required to launch
--# chromium-browser from within an lightdm session. Because AppArmor cannot yet
--# merge profiles and because we want to utilize the access rules provided in
--# abstractions/lightdm, this abstraction must be separate from
-+# chromium based browsers from within an lightdm session. Because AppArmor
-+# cannot yet merge profiles and because we want to utilize the access rules
-+# provided in abstractions/lightdm, this abstraction must be separate from
- # abstractions/lightdm.
- 
--  /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
--  profile chromium_browser {
-+  /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
-+  /usr/bin/webapp-container Cx -> chromium,
-+  /usr/bin/webbrowser-app Cx -> chromium,
-+  /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
-+  /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
-+  /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
-+  /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
-+
-+  # Allow ptracing processes in the chromium child profile
-+  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
-+
-+  # Allow receiving and sending signals to processes in the chromium child profile
-+  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
-+
-+  profile chromium {
-     # Allow all the same accesses as other applications in the guest session
-     #include <abstractions/lightdm>
- 
-@@ -22,6 +35,17 @@
-     capability setgid,     # for sandbox to drop privileges
-     capability setuid,     # for sandbox to drop privileges
-     capability sys_ptrace, # chromium needs this to keep track of itself
-+    @{PROC}/sys/kernel/yama/ptrace_scope r,
-+
-+    # Allow ptrace reads of processes in the lightdm-guest-session
-+    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
-+    # Allow other guest session processes to read and trace us
-+    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
-+    ptrace (readby, tracedby) peer=@{profile_name},
-+
-+    # Allow us to receive and send signals from processes in the
-+    # lightdm-guest-session
-+    signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
- 
-     @{PROC}/[0-9]*/ r,                 # sandbox wants these
-     @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
-@@ -30,4 +54,6 @@
-     /selinux/ r,
- 
-     /usr/lib/chromium-browser/chromium-browser-sandbox ix,
-+    /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
-+    /opt/google/chrome-*/chrome-sandbox ix,
-   }
diff --git a/debian/patches/series b/debian/patches/series
index 248b7ad4..4d371dde 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
 01_transition_ubuntu2d_ubuntu_desktop.patch
 04_language_handling.patch
 05_translate_guest_session_dialog.patch
-06_apparmor_chromium_updates.patch