diff options
author | Robert Ancell <robert.ancell@canonical.com> | 2014-04-14 09:33:12 +1200 |
---|---|---|
committer | Robert Ancell <robert.ancell@canonical.com> | 2014-04-14 09:33:12 +1200 |
commit | c0f87cc9d46d80f104ec732c3fe0462963b9d185 (patch) | |
tree | 16a085e40d0342c6b707b61ae424b172d261b514 /data | |
parent | 51c6d6682521ee3e2e92797d33d066c12ce7b034 (diff) | |
download | lightdm-c0f87cc9d46d80f104ec732c3fe0462963b9d185.tar.gz |
Apply debian/patches/06_apparmor_chromium_updates.patch to checked in code
Diffstat (limited to 'data')
-rw-r--r-- | data/apparmor/abstractions/lightdm_chromium-browser | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/data/apparmor/abstractions/lightdm_chromium-browser b/data/apparmor/abstractions/lightdm_chromium-browser index cb4878f8..fd9c94d3 100644 --- a/data/apparmor/abstractions/lightdm_chromium-browser +++ b/data/apparmor/abstractions/lightdm_chromium-browser @@ -1,15 +1,28 @@ # vim:syntax=apparmor -# Profile abstraction for restricting chromium-browser in the lightdm guest session +# Profile abstraction for restricting chromium in the lightdm guest session # Author: Jamie Strandboge <jamie@canonical.com> # The abstraction provides the additional accesses required to launch -# chromium-browser from within an lightdm session. Because AppArmor cannot yet -# merge profiles and because we want to utilize the access rules provided in -# abstractions/lightdm, this abstraction must be separate from +# chromium based browsers from within an lightdm session. Because AppArmor +# cannot yet merge profiles and because we want to utilize the access rules +# provided in abstractions/lightdm, this abstraction must be separate from # abstractions/lightdm. - /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser, - profile chromium_browser { + /usr/lib/chromium-browser/chromium-browser Cx -> chromium, + /usr/bin/webapp-container Cx -> chromium, + /usr/bin/webbrowser-app Cx -> chromium, + /usr/bin/ubuntu-html5-app-launcher Cx -> chromium, + /opt/google/chrome-stable/google-chrome-stable Cx -> chromium, + /opt/google/chrome-beta/google-chrome-beta Cx -> chromium, + /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium, + + # Allow ptracing processes in the chromium child profile + ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + # Allow receiving and sending signals to processes in the chromium child profile + signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + profile chromium { # Allow all the same accesses as other applications in the guest session #include <abstractions/lightdm> @@ -22,6 +35,17 @@ capability setgid, # for sandbox to drop privileges capability setuid, # for sandbox to drop privileges capability sys_ptrace, # chromium needs this to keep track of itself + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Allow ptrace reads of processes in the lightdm-guest-session + ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session, + # Allow other guest session processes to read and trace us + ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session, + ptrace (readby, tracedby) peer=@{profile_name}, + + # Allow us to receive and send signals from processes in the + # lightdm-guest-session + signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session, @{PROC}/[0-9]*/ r, # sandbox wants these @{PROC}/[0-9]*/fd/ r, # sandbox wants these @@ -30,4 +54,6 @@ /selinux/ r, /usr/lib/chromium-browser/chromium-browser-sandbox ix, + /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix, + /opt/google/chrome-*/chrome-sandbox ix, } |