/etc/apparmor.d/abstractions/lightdm_chromium-browser is in lightdm 1.10.3-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | # vim:syntax=apparmor
# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <jamie@canonical.com>
# The abstraction provides the additional accesses required to launch
# chromium based browsers from within an lightdm session. Because AppArmor
# cannot yet merge profiles and because we want to utilize the access rules
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
/usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
# Allow ptracing processes in the chromium child profile
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow receiving and sending signals to processes in the chromium child profile
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
profile chromium {
# Allow all the same accesses as other applications in the guest session
#include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications.
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
@{PROC}/sys/kernel/shmmax r,
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability setuid, # for sandbox to drop privileges
capability sys_ptrace, # chromium needs this to keep track of itself
@{PROC}/sys/kernel/yama/ptrace_scope r,
# Allow ptrace reads of processes in the lightdm-guest-session
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow other guest session processes to read and trace us
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
ptrace (readby, tracedby) peer=@{profile_name},
# Allow us to receive and send signals from processes in the
# lightdm-guest-session
signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
/selinux/ r,
/usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
}
|