mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Delete lightdm_chromium-browser
This commit is contained in:
parent
f02ec5d273
commit
fe59b4d3f8
@ -1,76 +0,0 @@
|
|||||||
# vim:syntax=apparmor
|
|
||||||
# Profile abstraction for restricting chromium in the lightdm guest session
|
|
||||||
# Author: Jamie Strandboge <jamie@canonical.com>
|
|
||||||
|
|
||||||
# The abstraction provides the additional accesses required to launch
|
|
||||||
# chromium based browsers from within an lightdm session. Because AppArmor
|
|
||||||
# cannot yet merge profiles and because we want to utilize the access rules
|
|
||||||
# provided in abstractions/lightdm, this abstraction must be separate from
|
|
||||||
# abstractions/lightdm.
|
|
||||||
|
|
||||||
# Requires apparmor 2.9
|
|
||||||
|
|
||||||
/usr/lib/chromium/chromium Cx -> chromium,
|
|
||||||
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
|
|
||||||
/usr/bin/webapp-container Cx -> chromium,
|
|
||||||
/usr/bin/webbrowser-app Cx -> chromium,
|
|
||||||
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
|
|
||||||
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
|
|
||||||
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
|
|
||||||
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
|
|
||||||
/opt/google/chrome/google-chrome Cx -> chromium,
|
|
||||||
|
|
||||||
# Allow ptracing processes in the chromium child profile
|
|
||||||
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
|
|
||||||
|
|
||||||
# Allow receiving and sending signals to processes in the chromium child profile
|
|
||||||
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
|
|
||||||
|
|
||||||
# Allow communications with chromium child profile via unix sockets
|
|
||||||
unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
|
|
||||||
|
|
||||||
profile chromium {
|
|
||||||
# Allow all the same accesses as other applications in the guest session
|
|
||||||
include <abstractions/lightdm>
|
|
||||||
|
|
||||||
# but also allow a few things because of chromium-browser's sandboxing that
|
|
||||||
# are not appropriate to other guest session applications.
|
|
||||||
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
|
|
||||||
@{PROC}/sys/kernel/shmmax r,
|
|
||||||
capability sys_admin, # for sandbox to change namespaces
|
|
||||||
capability sys_chroot, # fod sandbox to chroot to a safe directory
|
|
||||||
capability setgid, # for sandbox to drop privileges
|
|
||||||
capability setuid, # for sandbox to drop privileges
|
|
||||||
capability sys_ptrace, # chromium needs this to keep track of itself
|
|
||||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
|
||||||
|
|
||||||
# Allow ptrace reads of processes in the lightdm-guest-session
|
|
||||||
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
|
|
||||||
# Allow other guest session processes to read and trace us
|
|
||||||
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
|
|
||||||
ptrace (readby, tracedby) peer=@{profile_name},
|
|
||||||
|
|
||||||
# Allow us to receive and send signals from processes in the
|
|
||||||
# lightdm-guest-session
|
|
||||||
signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
|
|
||||||
|
|
||||||
# Allow us to receive and send on unix sockets from processes in the
|
|
||||||
# lightdm-guest-session
|
|
||||||
unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
|
|
||||||
|
|
||||||
@{PROC}/[0-9]*/ r, # sandbox wants these
|
|
||||||
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
|
|
||||||
@{PROC}/[0-9]*/statm r, # sandbox wants these
|
|
||||||
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/setgroups w,
|
|
||||||
owner @{PROC}/@{pid}/uid_map w,
|
|
||||||
owner @{PROC}/@{pid}/gid_map w,
|
|
||||||
|
|
||||||
/selinux/ r,
|
|
||||||
|
|
||||||
/usr/lib/chromium/chrome-sandbox ix,
|
|
||||||
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
|
|
||||||
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
|
|
||||||
/opt/google/chrome-*/chrome-sandbox ix,
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user