Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: SOLVED Chromium 25.0.1364.160 and Apparmor profile for chromium-browser

  1. #11
    Join Date
    Dec 2012
    Location
    europa
    Beans
    95
    Distro
    Ubuntu Development Release

    Re: SOLVED Chromium 25.0.1364.160 and Apparmor profile for chromium-browser

    maligne cna you copy and paste your chromium profile here or upload it to wherever ?

  2. #12
    Join Date
    Oct 2012
    Beans
    55

    Re: SOLVED Chromium 25.0.1364.160 and Apparmor profile for chromium-browser

    Here is the profile as I now have it on my machine.
    The two lines I have added are in red. The first is needed for it to open. The second just stops it complaining.

    Code:
    # Author: Jamie Strandboge <jamie@canonical.com>
    #include <tunables/global>
    
    
    # We need 'flags=(attach_disconnected)' in newer chromium versions
    /usr/lib/chromium-browser/chromium-browser {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
    
      # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
      # you want access to productivity applications, adjust the following file
      # accordingly.
      #include <abstractions/ubuntu-browsers.d/chromium-browser>
    
    
      # Networking
      network inet stream,
      network inet6 stream,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
    
      # Should maybe be in abstractions
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/mtab r,
      /etc/xdg/xubuntu/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
    
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      @{PROC}/[0-9]*/smaps r,
      owner @{PROC}/[0-9]*/stat r,
      @{PROC}/[0-9]*/statm r,
      owner @{PROC}/[0-9]*/status r,
    
    
      # Newer chromium needs these now
      /etc/udev/udev.conf r,
      /sys/devices/pci[0-9]*/**/size r,
      /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
      /sys/devices/pci[0-9]*/**/removable r,
      /sys/devices/pci[0-9]*/**/uevent r,
      # This is requested, but doesn't seem to actually be needed so deny for now
      deny /run/udev/data/** r,
    
    
      # Needed for the crash reporter
      owner @{PROC}/[0-9]*/auxv r,
    
    
      # chromium mmaps all kinds of things for speed.
      /etc/passwd m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/mime/mime.cache m,
      /usr/share/icons/**/*.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner /tmp/** m,
    
    
      @{PROC}/sys/kernel/shmmax r,
      owner /{dev,run}/shm/{,.}org.chromium.* mrw,
    
    
      /usr/lib/chromium-browser/*.pak mr,
      /usr/lib/chromium-browser/locales/* mr,
    
    
      # Noisy
      deny /usr/lib/chromium-browser/** w,
    
    
      # Make browsing directories work
      / r,
      /**/ r,
    
    
      # Allow access to documentation and other files the user may want to look
      # at in /usr
      /usr/{include,share,src}** r,
    
    
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    
    
      # Helpers
      /usr/bin/xdg-open ixr,
      /usr/bin/gnome-open ixr,
      /usr/bin/gvfs-open ixr,
      # TODO: kde, xfce
    
    
      # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
      # which is provided by abstractions/ubuntu-browsers.d/user-files).
      @{PROC}/[0-9]*/oom_{,score_}adj w,
      /etc/firefox/profile/bookmarks.html r,
      owner @{HOME}/.mozilla/** k,
    
    
      # Chromium configuration
      owner @{HOME}/.pki/nssdb/* rwk,
      owner @{HOME}/.cache/chromium/ rw,
      owner @{HOME}/.cache/chromium/** rw,
      owner @{HOME}/.cache/chromium/Cache/* mr,
      owner @{HOME}/.config/chromium/ rw,
      owner @{HOME}/.config/chromium/** rwk,
      owner @{HOME}/.config/chromium/**/Cache/* mr,
      owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
      owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
    
    
      # Allow transitions to ourself and our sandbox
      /usr/lib/chromium-browser/chromium-browser ix,
      /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
    
    
      /bin/ps Uxr,
      /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
      /usr/bin/xdg-settings Cxr -> xdgsettings,
    
    
      profile xdgsettings {
        #include <abstractions/base>
        #include <abstractions/bash>
        #include <abstractions/gnome>
    
    
        /bin/dash ixr,
    
    
        /usr/bin/xdg-settings r,
        /usr/lib/chromium-browser/xdg-settings r,
        /usr/share/applications/*.desktop r,
    
    
        # Checking default browser
        /bin/grep ixr,
        /bin/readlink ixr,
        /bin/sed ixr,
        /bin/which ixr,
        /usr/bin/basename ixr,
        /usr/bin/cut ixr,
    
    
        # Setting the default browser
        /bin/mkdir ixr,
        /bin/mv ixr,
        /bin/touch ixr,
        /usr/bin/dirname ixr,
        /usr/bin/gconftool-2 ix,
        /usr/bin/mawk ixr,
        /usr/bin/xdg-mime ixr,
        owner @{HOME}/.local/share/applications/ w,
        owner @{HOME}/.local/share/applications/mimeapps.list* rw,
      }
    
    
      # Site-specific additions and overrides. See local/README for details.
      #include <local/usr.bin.chromium-browser>
    
    
    profile chromium_browser_sandbox {
        # Be fanatical since it is setuid root and don't use an abstraction
        /lib/libgcc_s.so* mr,
        /lib{,32,64}/libm-*.so* mr,
        /lib/@{multiarch}/libm-*.so* mr,
        /lib{,32,64}/libpthread-*.so* mr,
        /lib/@{multiarch}/libpthread-*.so* mr,
        /lib{,32,64}/libc-*.so* mr,
        /lib/@{multiarch}/libc-*.so* mr,
        /lib{,32,64}/libld-*.so* mr,
        /lib/@{multiarch}/libld-*.so* mr,
        /lib{,32,64}/ld-*.so* mr,
        /lib/@{multiarch}/ld-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
        /usr/lib/libstdc++.so* mr,
        /etc/ld.so.cache r,
    
    
        # Required for dropping into PID namespace. Keep in mind that until the
        # process drops this capability it can escape confinement, but once it
        # drops CAP_SYS_ADMIN we are ok.
        capability sys_admin,
    
    
        # All of these are for sanely dropping from root and chrooting
        capability chown,
        capability fsetid,
        capability setgid,
        capability setuid,
        capability dac_override,
        capability sys_chroot,
    
    
        # *Sigh*
        capability sys_ptrace,
    
    
        @{PROC}/ r,
        @{PROC}/[0-9]*/ r,
        @{PROC}/[0-9]*/fd/ r,
        @{PROC}/[0-9]*/oom_adj w,
        @{PROC}/[0-9]*/oom_score_adj w,
        @{PROC}/[0-9]*/status r,
        @{PROC}/[0-9]*/task/[0-9]*/stat r,
    
    
        /usr/bin/chromium-browser r,
        /usr/lib/chromium-browser/chromium-browser Px,
        /usr/lib/chromium-browser/chromium-browser-sandbox r,
    
    
        /dev/null rw,
    
    
        owner /tmp/** rw,
      }
    }
    Last edited by cariboo907; March 17th, 2013 at 08:33 PM. Reason: added code tags

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •