I Still Can't Get The Chromium Apparmor Profile to work!

Printable View

Show 75 post(s) from this thread on one page

July 2nd, 2012
0011235813

I Still Can't Get The Chromium Apparmor Profile to work!

I've always had an issue with this; no matter what I try, everytime I enforce the usr.bin.chromium-browser profile, Chromium won't start. I can see it in the system monitor, and it shows up enforce, but the windows itself doesn't load. I've tried doing what this guy said here but the bug still does not appear to be fixed in apparmor 2.7. Here is the profile:

Code:

# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> # We need 'flags=(attach_disconnected)' in newer chromium versions /usr/lib/chromium-browser/chromium-browser flags=(complain) { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/cups-client> #include <abstractions/dbus-session> #include <abstractions/fonts> #include <abstractions/freedesktop.org> #include <abstractions/gnome> #include <abstractions/nameservice> #include <abstractions/user-tmp> # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if # you want access to productivity applications, adjust the following file # accordingly. #include <abstractions/ubuntu-browsers.d/chromium-browser> # Networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, # Should maybe be in abstractions /etc/mime.types r, /etc/mailcap r, /etc/xdg/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, @{PROC}/[0-9]*/fd/ r, @{PROC}/filesystems r, @{PROC}/ r, @{PROC}/[0-9]*/task/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/io r, owner @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/status r, # Newer chromium needs these now /sys/devices/pci[0-9]*/**/class r, /sys/devices/pci[0-9]*/**/device r, /sys/devices/pci[0-9]*/**/irq r, /sys/devices/pci[0-9]*/**/resource r, /sys/devices/pci[0-9]*/**/vendor r, # Needed for the crash reporter owner @{PROC}/[0-9]*/auxv r, # chromium mmaps all kinds of things for speed. /etc/passwd m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/fonts/**/*.pfb m, /usr/share/mime/mime.cache m, /usr/share/icons/**/*.cache m, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/.local/share/mime/mime.cache m, owner /tmp/** m, @{PROC}/sys/kernel/shmmax r, owner /{dev,run}/shm/{,.}org.chromium.* mrw, /usr/lib/chromium-browser/*.pak mr, /usr/lib/chromium-browser/locales/* mr, # Noisy deny /usr/lib/chromium-browser/** w, # Make browsing directories work / r, /**/ r, # Allow access to documentation and other files the user may want to look # at in /usr /usr/{include,share,src}** r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # Helpers /usr/bin/xdg-open ixr, /usr/bin/gnome-open ixr, /usr/bin/gvfs-open ixr, # TODO: kde, xfce # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** # which is provided by abstractions/ubuntu-browsers.d/user-files). @{PROC}/[0-9]*/oom_{,score_}adj w, /etc/firefox/profile/bookmarks.html r, owner @{HOME}/.mozilla/** k, # Chromium configuration owner @{HOME}/.pki/nssdb/* rwk, owner @{HOME}/.cache/chromium/ rw, owner @{HOME}/.cache/chromium/** rw, owner @{HOME}/.cache/chromium/Cache/* mr, owner @{HOME}/.config/chromium/ rw, owner @{HOME}/.config/chromium/** rwk, owner @{HOME}/.config/chromium/**/Cache/* mr, owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, # Allow transitions to ourself and our sandbox /usr/lib/chromium-browser/chromium-browser ix, /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, # TODO: child profile /bin/ps Uxr, /usr/lib/chromium-browser/xdg-settings Ux, /usr/bin/xdg-settings Ux, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.chromium-browser> profile chromium_browser_sandbox flags=(complain) { # Be fanatical since it is setuid root and don't use an abstraction /lib/libgcc_s.so* mr, /lib{,32,64}/libm-*.so* mr, /lib/@{multiarch}/libm-*.so* mr, /lib{,32,64}/libpthread-*.so* mr, /lib/@{multiarch}/libpthread-*.so* mr, /lib{,32,64}/libc-*.so* mr, /lib/@{multiarch}/libc-*.so* mr, /lib{,32,64}/libld-*.so* mr, /lib/@{multiarch}/libld-*.so* mr, /lib{,32,64}/ld-*.so* mr, /lib/@{multiarch}/ld-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, /usr/lib/libstdc++.so* mr, /etc/ld.so.cache r, # Required for dropping into PID namespace. Keep in mind that until the # process drops this capability it can escape confinement, but once it # drops CAP_SYS_ADMIN we are ok. capability sys_admin, # All of these are for sanely dropping from root and chrooting capability chown, capability fsetid, capability setgid, capability setuid, capability dac_override, capability sys_chroot, # *Sigh* capability sys_ptrace, @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/oom_adj w, @{PROC}/[0-9]*/oom_score_adj w, @{PROC}/[0-9]*/task/[0-9]*/stat r, /usr/bin/chromium-browser r, /usr/lib/chromium-browser/chromium-browser Px, /usr/lib/chromium-browser/chromium-browser-sandbox r, owner /tmp/** rw, } }

Any help?
July 2nd, 2012
Hungry Man

Re: I Still Can't Get The Chromium Apparmor Profile to work!

If you're not receiving anything through aa-logprof delete any 'deny' rules.
July 2nd, 2012
0011235813

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Quote:

Originally Posted by Hungry Man

If you're not receiving anything through aa-logprof delete any 'deny' rules.

Do you know of any Chromium (or Chrome) profiles that will actually work? Ideally, ones that will allow me to download to specific folders...
July 2nd, 2012
Hungry Man

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.

Quote:

# Last Modified: Wed May 16 23:18:45 2012
#include <tunables/global>

/opt/google/chrome/chrome-sandbox {
#include <abstractions/base>
#include <abstractions/ubuntu-konsole>

capability chown,
capability dac_override,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,

/etc/ld.so.cache r,
/home/*/.config/google-chrome/Default/** rwk,
/home/*/.config/google-chrome/Dictionaries/* r,
"/home/*/.config/google-chrome/Profile 1/Pepper Data/**" w,
/home/documents/ r,
/lib/@{multiarch}/ld-*.so* mr,
/lib/@{multiarch}/libc-*.so* mr,
/lib/@{multiarch}/libld-*.so* mr,
/lib/@{multiarch}/libm-*.so* mr,
/lib/@{multiarch}/libpthread-*.so* mr,
/lib/libgcc_s.so* mr,
/lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/lib{,32,64}/ld-*.so* mr,
/lib{,32,64}/libc-*.so* mr,
/lib{,32,64}/libld-*.so* mr,
/lib{,32,64}/libm-*.so* mr,
/lib{,32,64}/libpthread-*.so* mr,
/opt/google/** mr,
/opt/google/chrome/ r,
/opt/google/chrome/chrome rix,
/opt/google/chrome/chrome-sandbox r,
/opt/google/chrome/google-chrome r,
/opt/google/chrome/nacl_helper_bootstrap px,
/proc/ r,
/proc/*/ r,
/proc/*/fd/ r,
/proc/*/oom_score_adj w,
/proc/*/status r,
/proc/sys/kernel/shmmax r,
/run/shm/* rw,
/sys/devices/system/cpu/** r,
/usr/lib/libstdc++.so* mr,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/oom_adj w,
@{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/[0-9]*/task/[0-9]*/stat r,

}

Quote:

# Last Modified: Wed May 16 23:18:45 2012
#include <tunables/global>

/opt/google/chrome/google-chrome {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/ubuntu-konsole>
#include <abstractions/user-tmp>

deny capability dac_override,
deny capability dac_read_search,

capability ipc_lock,
capability sys_ptrace,

network inet stream,
network inet6 stream,

deny /media/truecrypt1/ r,
/home/*/Documents/Misc/** r,
/bin/bash rix,
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/mv rix,
/bin/ps rix,
/bin/readlink rix,
/bin/sed rix,
/bin/touch rix,
/bin/which rix,
/dev/ r,
/dev/video0 r,
/etc/ati/amdpcsdb.default r,
/etc/ati/atiogl.xml r,
/etc/lsb-release r,
/etc/passwd m,
/etc/python2.7/sitecustomize.py r,
owner /home/*/.adobe/** rwk,
owner /home/*/.cache/dconf/user rwk,
owner /home/*/.cache/google-chrome/** rwk,
owner /home/*/.config/autostart/google-chrome.desktop rwk,
owner /home/*/.config/dconf/user r,
owner /home/*/.config/google-chrome/ rwk,
owner /home/*/.config/google-chrome/** rwk,
/home/*/.fontconfig/** rk,
owner /home/*/.local/share/applications/* rwk,
/home/*/.macromedia/** rk,
/home/*/.mozilla/firefox/** r,
/home/*/.pki/nssdb/** rwk,
/home/*/.thumbnails/normal/* r,
owner /opt/google/** rk,
owner /opt/google/chrome/* mrk,
/opt/google/chrome/PepperFlash/* mrk,
/opt/google/chrome/chrome rix,
/opt/google/chrome/chrome-sandbox px,
/opt/google/chrome/google-chrome rix,
/opt/google/chrome/xdg-settings rix,
/proc/ r,
/proc/*/fd/ r,
/proc/*/io r,
/proc/*/oom_score_adj w,
/proc/*/statm r,
/proc/*/task/ r,
/proc/ati/major r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
/proc/uptime r,
/proc/version r,
/root/.local/share/Trash/files/* rwk,
/root/.local/share/Trash/files/** rwk,
/run/shm/* mrw,
/selinux/ r,
/sys/bus/pci/devices/ r,
/sys/devices/** r,
owner /tmp/** mlk,
/tmp/** rw,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/file-roller rix,
/usr/bin/gconftool-2 rix,
/usr/bin/gvfs-open rix,
/usr/bin/lsb_release rix,
/usr/bin/mawk rix,
/usr/bin/nautilus rix,
/usr/bin/transmission-gtk px,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open rix,
/usr/bin/xdg-settings rix,
/usr/include/python2.7/pyconfig.h r,
/usr/lib{,32,64}/** mr,
/usr/local/lib/python2.7/dist-packages/ r,
/usr/share/fonts/**/*.pfb m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/**/*.cache m,
/usr/share/mime/mime.cache m,
/usr/share/pyshared/* r,
owner /{dev,run}/shm/pulse-shm* m,
owner @{HOME}/ r,
owner @{HOME}/.local/share/mime/mime.cache m,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,

}

Quote:

# Last Modified: Sat Mar 31 04:24:18 2012
#include <tunables/global>

/opt/google/chrome/nacl_helper_bootstrap {
#include <abstractions/base>

deny capability dac_override,
deny capability dac_read_search,
deny capability chown,
deny capability fsetid,
deny capability setgid,
deny capability setuid,
deny capability sys_admin,
deny capability sys_chroot,
deny capability sys_ptrace,

/opt/google/chrome/nacl_helper mr,
/opt/google/chrome/nacl_irt_x86_64.nexe r,
/run/shm/* mrw,
/sys/devices/system/cpu/cpu0/** r,
/tmp/* r,

}

Feel free to edit as you like.
July 2nd, 2012
0011235813

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Quote:

Originally Posted by Hungry Man

Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.

Feel free to edit as you like.

I assume this profile limits downloads to the "Downloads" folder? If so, would adding: something like ~/Music in @HOME work?
July 2nd, 2012
Hungry Man

Re: I Still Can't Get The Chromium Apparmor Profile to work!

@{HOME}/Downloads/ rwk,
@{HOME}/Downloads/Music rwk,

That's all you need.

You can use an owner tag to limit it to being only able to write to files it owns in those folders.
July 2nd, 2012
0011235813

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Quote:

Originally Posted by Hungry Man

@{HOME}/Downloads/ rwk,
@{HOME}/Downloads/Music rwk,

That's all you need.

You can use an owner tag to limit it to being only able to write to files it owns in those folders.

Thanks, I'll get down to it soon.

EDIT:UPDATE: I've got the profile running for Chrome. Here's what I did:

Code:

sudo -i cd /etc/apparmor.d nano opt.google.chrome.chrome-sandbox #Copied profile Ctrl+Shift+V Ctr+X y [ENTER] nano opt.google.chrome.google-chrome #same as above, here was the final profile: # Last Modified: Wed May 16 23:18:45 2012 #include <tunables/global> /opt/google/chrome/google-chrome { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/bash> #include <abstractions/cups-client> #include <abstractions/dbus-session> #include <abstractions/fonts> #include <abstractions/freedesktop.org> #include <abstractions/gnome> #include <abstractions/nameservice> #include <abstractions/nvidia> #include <abstractions/ubuntu-konsole> #include <abstractions/user-tmp> deny capability dac_override, deny capability dac_read_search, capability ipc_lock, capability sys_ptrace, network inet stream, network inet6 stream, deny /media/truecrypt1/ r, /home/*/Documents/Misc/** r, /bin/bash rix, /bin/dash rix, /bin/grep rix, /bin/mkdir rix, /bin/mv rix, /bin/ps rix, /bin/readlink rix, /bin/sed rix, /bin/touch rix, /bin/which rix, /dev/ r, /dev/video0 r, /etc/ati/amdpcsdb.default r, /etc/ati/atiogl.xml r, /etc/lsb-release r, /etc/passwd m, /etc/python2.7/sitecustomize.py r, owner /home/*/.adobe/** rwk, owner /home/*/.cache/dconf/user rwk, owner /home/*/.cache/google-chrome/** rwk, owner /home/*/.config/autostart/google-chrome.desktop rwk, owner /home/*/.config/dconf/user r, owner /home/*/.config/google-chrome/ rwk, owner /home/*/.config/google-chrome/** rwk, /home/*/.fontconfig/** rk, owner /home/*/.local/share/applications/* rwk, /home/*/.macromedia/** rk, /home/*/.mozilla/firefox/** r, /home/*/.pki/nssdb/** rwk, /home/*/.thumbnails/normal/* r, owner /opt/google/** rk, owner /opt/google/chrome/* mrk, /opt/google/chrome/PepperFlash/* mrk, /opt/google/chrome/chrome rix, /opt/google/chrome/chrome-sandbox px, /opt/google/chrome/google-chrome rix, /opt/google/chrome/xdg-settings rix, /proc/ r, /proc/*/fd/ r, /proc/*/io r, /proc/*/oom_score_adj w, /proc/*/statm r, /proc/*/task/ r, /proc/ati/major r, /proc/sys/kernel/pid_max r, /proc/tty/drivers r, @{PROC}/[0-9]*/task/[0-9]*/stat r, /proc/uptime r, /proc/version r, /root/.local/share/Trash/files/* rwk, /root/.local/share/Trash/files/** rwk, /run/shm/* mrw, /selinux/ r, /sys/bus/pci/devices/ r, /sys/devices/** r, owner /tmp/** mlk, /tmp/** rw, /usr/bin/basename rix, /usr/bin/cut rix, /usr/bin/dirname rix, /usr/bin/file-roller rix, /usr/bin/gconftool-2 rix, /usr/bin/gvfs-open rix, /usr/bin/lsb_release rix, /usr/bin/mawk rix, /usr/bin/nautilus rix, /usr/bin/transmission-gtk px, /usr/bin/xdg-mime rix, /usr/bin/xdg-open rix, /usr/bin/xdg-settings rix, /usr/include/python2.7/pyconfig.h r, /usr/lib{,32,64}/** mr, /usr/local/lib/python2.7/dist-packages/ r, /usr/share/fonts/**/*.pfb m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/**/*.cache m, /usr/share/mime/mime.cache m, /usr/share/pyshared/* r, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/ r, owner @{HOME}/.local/share/mime/mime.cache m, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, owner @{HOME}/Music/* rw owner @{HOME}/Documents/* rw owner @{HOME}/Software/* rw owner @{HOME}/Pictures/* rw owner @{HOME}/Videos/* rw owner @{HOME}/Dangerous/* rw owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{PROC}/[0-9]*/auxv r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, } nano opt.google.chrome.nacl_helper_bootstrap #same as first aa-enforce opt.google.chrome.chrome-sandbox opt.google.chrome.google-chrome opt.google.chrome.nacl_helper_bootstrap #Got this error: Setting /etc/apparmor.d/opt.google.chrome.chrome-sandbox to enforce mode. Setting /etc/apparmor.d/opt.google.chrome.google-chrome to enforce mode. Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin AppArmor parser error, in stdin line 114: syntax error, unexpected TOK_OWNER, expecting TOK_END_OF_RULE

Chrome seems to start.
Gnome system monitor shows it as enforced. Loading pages are working. Downloads to Downloads, Music, Pictures, Videos, Dangerous, and Documents all work.
July 3rd, 2012
oklokl

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Apparmor is a bug(/etc/init.d/apparmor restart) Contamination. ->google-chrome Profiles
This bug.
This is a bug that only works when you first start.

Apparmor..-> Do not run. -> -> #sudo /etc/init.d/apparmor restart# Do not ever run.
If you need to run the data are contaminated. -> opt.google.chrome.google-chrome
apparmor Profiles
Contaminated data
Can not be recovered.
Must be completely rewritten.

First, please back up your data
#backup

Code:

mkdir -p ~/test sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/ sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/test

# Point
# Must be deleted. king bug.. n,.n
# remove file clean

Code:

sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome sudo /etc/init.d/apparmor restart

# edit

Code:

sudo nano ~/opt.google.chrome.google-chrome

# my Core

Code:

/sys/devices/system/cpu/cpu*/cpufreq/* r, /dev/null rw, /proc/*/** r,

# you core

Code:

owner @{HOME}/Downloads/ rwk, owner @{HOME}/Downloads/** rwk, owner @{HOME}/Downloads/Music rwk, owner @{HOME}/Downloads/Music/** rwk,

Code:

sudo cp -f ~/opt.google.chrome.google-chrome /etc/apparmor.d sudo /etc/init.d/apparmor restart

#sudo /etc/init.d/apparmor restart#- > If you already use.
Write a completely new ...

Code:

sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome sudo /etc/init.d/apparmor restart

new file write and..
copy you file.. -> /etc/apparmor.d

and..
sudo /etc/init.d/apparmor restart

[opt.google.chrome.chrome-sandbox] This issue is bogus.
Bogus log

I find this problem ... It took a long time

If you have used. /etc/init.d/apparmor restart
Due to a bug

May seem normal. ->file.. opt.google.chrome.google-chrome
but.. Is not normal.
remove file..

If you modify the same way as above normal.
Work without any problem.

When you modify the same applies to normal again.
The first problem is that if the program works.
July 3rd, 2012
0011235813

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Quote:

Originally Posted by oklokl

Apparmor is a bug(/etc/init.d/apparmor restart) Contamination. ->google-chrome Profiles
This bug.
This is a bug that only works when you first start.

Apparmor..-> Do not run. -> -> #sudo /etc/init.d/apparmor restart# Do not ever run.
If you need to run the data are contaminated. -> opt.google.chrome.google-chrome
apparmor Profiles
Contaminated data
Can not be recovered.
Must be completely rewritten.

First, please back up your data
#backup

Code:

mkdir -p ~/test sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/ sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/test

# Point
# Must be deleted. king bug.. n,.n
# remove file clean

Code:

sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome sudo /etc/init.d/apparmor restart

# edit

Code:

sudo nano ~/opt.google.chrome.google-chrome

# my Core

Code:

/sys/devices/system/cpu/cpu*/cpufreq/* r, /dev/null rw, /proc/*/** r,

# you core

Code:

owner @{HOME}/Downloads/ rwk, owner @{HOME}/Downloads/** rwk, owner @{HOME}/Downloads/Music rwk, owner @{HOME}/Downloads/Music/** rwk,

Code:

sudo cp -f ~/opt.google.chrome.google-chrome /etc/apparmor.d sudo /etc/init.d/apparmor restart

#sudo /etc/init.d/apparmor restart#- > If you already use.
Write a completely new ...

Code:

sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome sudo /etc/init.d/apparmor restart

new file write and..
copy you file.. -> /etc/apparmor.d

and..
sudo /etc/init.d/apparmor restart

[opt.google.chrome.chrome-sandbox] This issue is bogus.
Bogus log

I find this problem ... It took a long time

If you have used. /etc/init.d/apparmor restart
Due to a bug

May seem normal. ->file.. opt.google.chrome.google-chrome
but.. Is not normal.
remove file..

If you modify the same way as above normal.
Work without any problem.

When you modify the same applies to normal again.
The first problem is that if the program works.

Sorry, but I don't seem to understand what you're trying to say. Is there some sort of bug with Chrome when restrating apparmor? Please, I'm confused... Perhaps English is not your native language? It's not mine either, but I'm afraid I don't speak Korean. Do you have anyone that can help you translate?
July 4th, 2012
oklokl

Re: I Still Can't Get The Chromium Apparmor Profile to work!

profile -> Is changed due to a bug
Chromium

Only occurs once.

You must remove the faulty file.
and..
sudo /etc/init.d/apparmor restart
and..
And create a new profile(opt.google.chrome.google-chrome)
Insert
and..
sudo /etc/init.d/apparmor restart

See the command above.
Answers can be found.

Show 75 post(s) from this thread on one page