From d6c1e0b020f2858a9f2586b9c8dab510a6428515 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 2 Apr 2021 10:07:09 +0100
Subject: [PATCH] chromium: add gnome support.

---
 apparmor.d/groups/browsers/chrome-gnome-shell | 34 +++++++++++++++++++
 .../groups/browsers/chromium-chrome-sandbox   |  2 ++
 apparmor.d/groups/browsers/chromium-chromium  |  7 ++++
 3 files changed, 43 insertions(+)
 create mode 100644 apparmor.d/groups/browsers/chrome-gnome-shell

diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell
new file mode 100644
index 00000000..78fdd760
--- /dev/null
+++ b/apparmor.d/groups/browsers/chrome-gnome-shell
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/chrome-gnome-shell
+profile chrome-gnome-shell @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  owner @{HOME}/.config/dconf/user r,
+
+  owner @{run}/user/@{pid}/dconf/user rw,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/chrome-gnome-shell>
+}
diff --git a/apparmor.d/groups/browsers/chromium-chrome-sandbox b/apparmor.d/groups/browsers/chromium-chrome-sandbox
index 77bd8c66..171556eb 100644
--- a/apparmor.d/groups/browsers/chromium-chrome-sandbox
+++ b/apparmor.d/groups/browsers/chromium-chrome-sandbox
@@ -22,6 +22,8 @@ profile chromium-chrome-sandbox @{exec_path} {
   capability setuid,
   capability setgid,
 
+  capability dac_override,
+
   # optional
   capability sys_resource,
 
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index bda0aa6b..4a2e000e 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -28,6 +28,8 @@ profile chromium-chromium @{exec_path} {
   include <abstractions/deny-dconf>
   include <abstractions/deny-root-dir-access>
 
+  ptrace (read) peer=chrome-gnome-shell,
+
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
   capability sys_admin,
@@ -52,6 +54,7 @@ profile chromium-chromium @{exec_path} {
   @{exec_path} mrix,
 
   @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx,
+  /{usr/,}bin/chrome-gnome-shell        rPx,
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
@@ -79,12 +82,16 @@ profile chromium-chromium @{exec_path} {
 
   /usr/share/mozilla/extensions/{,**} r,
 
+  /etc/libva.conf r,
   /etc/chromium/ r,
   /etc/chromium/master_preferences r,
+  /etc/chromium/native-messaging-hosts/*.json r,
 
   # Chromium home files
   owner @{HOME}/ r,
+  owner @{user_share_dirs}/ r,
   owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/gtk-3.0/servers r,
   owner @{CHROMIUM_HOMEDIR}/ rw,
   owner @{CHROMIUM_HOMEDIR}/** rwk,
   owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,