# vim:syntax=apparmor # Profile abstraction for restricting chromium in the lightdm guest session # Author: Jamie Strandboge # The abstraction provides the additional accesses required to launch # chromium based browsers from within an lightdm session. Because AppArmor # cannot yet merge profiles and because we want to utilize the access rules # provided in abstractions/lightdm, this abstraction must be separate from # abstractions/lightdm. # Requires apparmor 2.9 /usr/lib/chromium/chromium Cx -> chromium, /usr/lib/chromium-browser/chromium-browser Cx -> chromium, /usr/bin/webapp-container Cx -> chromium, /usr/bin/webbrowser-app Cx -> chromium, /usr/bin/ubuntu-html5-app-launcher Cx -> chromium, /opt/google/chrome-stable/google-chrome-stable Cx -> chromium, /opt/google/chrome-beta/google-chrome-beta Cx -> chromium, /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium, /opt/google/chrome/google-chrome Cx -> chromium, # Allow ptracing processes in the chromium child profile ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium, # Allow receiving and sending signals to processes in the chromium child profile signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, # Allow communications with chromium child profile via unix sockets unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium), profile chromium { # Allow all the same accesses as other applications in the guest session include # but also allow a few things because of chromium-browser's sandboxing that # are not appropriate to other guest session applications. owner @{PROC}/[0-9]*/oom_{,score_}adj w, @{PROC}/sys/kernel/shmmax r, capability sys_admin, # for sandbox to change namespaces capability sys_chroot, # fod sandbox to chroot to a safe directory capability setgid, # for sandbox to drop privileges capability setuid, # for sandbox to drop privileges capability sys_ptrace, # chromium needs this to keep track of itself @{PROC}/sys/kernel/yama/ptrace_scope r, # Allow ptrace reads of processes in the lightdm-guest-session ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session, # Allow other guest session processes to read and trace us ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session, ptrace (readby, tracedby) peer=@{profile_name}, # Allow us to receive and send signals from processes in the # lightdm-guest-session signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session, # Allow us to receive and send on unix sockets from processes in the # lightdm-guest-session unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session), @{PROC}/[0-9]*/ r, # sandbox wants these @{PROC}/[0-9]*/fd/ r, # sandbox wants these @{PROC}/[0-9]*/statm r, # sandbox wants these @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/gid_map w, /selinux/ r, /usr/lib/chromium/chrome-sandbox ix, /usr/lib/chromium-browser/chromium-browser-sandbox ix, /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix, /opt/google/chrome-*/chrome-sandbox ix, }