Results 1 to 5 of 5

Thread: AppArmor & Chromium Browser

  1. #1
    Join Date
    Mar 2010
    Location
    Lake Constance
    Beans
    155
    Distro
    Kubuntu 14.04 Trusty Tahr

    Question AppArmor & Chromium Browser

    Hello!

    I've put all apparmor profiles in the enforce mode, including the default Chromium Browser profile. I had to make some adjustments so that Chromium was able to start up, including this one:

    Code:
    @{PROC}/[0-9]*/oom_score_adj rw,
    I'm not happy about that. If I understand correctly, that'll allow Chromium to write to oom_score_adj of every process, doesn't it? Is there a placeholder to only allow access to the proc-folder of the process itself?

    Thank you very much,

    Blutkoete
    If SUDO is all-powerful, can SUDO start a process that SUDO can't kill?

  2. #2
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor & Chromium Browser

    You shouldn't need that for Chromium to be functional (that I'm aware of) it's not in my chromium profile.

    That being said, I do see it in a couple of Chromium profiles, so maybe I am just not noticing some innate functionality isn't working that I never utilize.

  3. #3
    Join Date
    Mar 2010
    Location
    Lake Constance
    Beans
    155
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: AppArmor & Chromium Browser

    Thank you!

    You're right, it's not needed, the reason Chromium didn't start up was that the regular expression

    Code:
    /sys/devices/pci[0-9]*/[0-9]*/resource r,
    didn't match my computer because the folder e.g. is named

    Code:
    /sys/devices/pci0000:00/...
    on my machine. It's probably a good thing if I only allow things that provide functionality needed for my daily work.

    Maybe it's a good idea if I google for what I'm actually allowing Chromium access to .
    If SUDO is all-powerful, can SUDO start a process that SUDO can't kill?

  4. #4
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor & Chromium Browser

    Glad it worked out for you.

  5. #5
    Join Date
    Mar 2010
    Location
    Lake Constance
    Beans
    155
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: AppArmor & Chromium Browser

    Just for the records: The problem was that my /sys/devices/pci** folder has a subfolder more than specified in the profile.

    So I had to add a new rule which included an additional /[0-9]*/.
    If SUDO is all-powerful, can SUDO start a process that SUDO can't kill?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •