Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: I Still Can't Get The Chromium Apparmor Profile to work!

  1. #1
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    I Still Can't Get The Chromium Apparmor Profile to work!

    I've always had an issue with this; no matter what I try, everytime I enforce the usr.bin.chromium-browser profile, Chromium won't start. I can see it in the system monitor, and it shows up enforce, but the windows itself doesn't load. I've tried doing what this guy said here but the bug still does not appear to be fixed in apparmor 2.7. Here is the profile:
    Code:
    # Author: Jamie Strandboge <jamie@canonical.com>
    #include <tunables/global>
    
    # We need 'flags=(attach_disconnected)' in newer chromium versions
    /usr/lib/chromium-browser/chromium-browser flags=(complain) {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
      # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
      # you want access to productivity applications, adjust the following file
      # accordingly.
      #include <abstractions/ubuntu-browsers.d/chromium-browser>
    
      # Networking
      network inet stream,
      network inet6 stream,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
      # Should maybe be in abstractions
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/xdg/xubuntu/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      owner @{PROC}/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/status r,
    
      # Newer chromium needs these now
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
    
      # Needed for the crash reporter
      owner @{PROC}/[0-9]*/auxv r,
    
      # chromium mmaps all kinds of things for speed.
      /etc/passwd m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/mime/mime.cache m,
      /usr/share/icons/**/*.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner /tmp/** m,
    
      @{PROC}/sys/kernel/shmmax r,
      owner /{dev,run}/shm/{,.}org.chromium.* mrw,
    
      /usr/lib/chromium-browser/*.pak mr,
      /usr/lib/chromium-browser/locales/* mr,
    
      # Noisy
      deny /usr/lib/chromium-browser/** w,
    
      # Make browsing directories work
      / r,
      /**/ r,
    
      # Allow access to documentation and other files the user may want to look
      # at in /usr
      /usr/{include,share,src}** r,
    
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    
      # Helpers
      /usr/bin/xdg-open ixr,
      /usr/bin/gnome-open ixr,
      /usr/bin/gvfs-open ixr,
      # TODO: kde, xfce
    
      # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
      # which is provided by abstractions/ubuntu-browsers.d/user-files).
      @{PROC}/[0-9]*/oom_{,score_}adj w,
      /etc/firefox/profile/bookmarks.html r,
      owner @{HOME}/.mozilla/** k,
    
      # Chromium configuration
      owner @{HOME}/.pki/nssdb/* rwk,
      owner @{HOME}/.cache/chromium/ rw,
      owner @{HOME}/.cache/chromium/** rw,
      owner @{HOME}/.cache/chromium/Cache/* mr,
      owner @{HOME}/.config/chromium/ rw,
      owner @{HOME}/.config/chromium/** rwk,
      owner @{HOME}/.config/chromium/**/Cache/* mr,
      owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
      owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
    
      # Allow transitions to ourself and our sandbox
      /usr/lib/chromium-browser/chromium-browser ix,
      /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
    
      # TODO: child profile
      /bin/ps Uxr,
      /usr/lib/chromium-browser/xdg-settings Ux,
      /usr/bin/xdg-settings Ux,
    
      # Site-specific additions and overrides. See local/README for details.
      #include <local/usr.bin.chromium-browser>
    
    profile chromium_browser_sandbox flags=(complain) {
        # Be fanatical since it is setuid root and don't use an abstraction
        /lib/libgcc_s.so* mr,
        /lib{,32,64}/libm-*.so* mr,
        /lib/@{multiarch}/libm-*.so* mr,
        /lib{,32,64}/libpthread-*.so* mr,
        /lib/@{multiarch}/libpthread-*.so* mr,
        /lib{,32,64}/libc-*.so* mr,
        /lib/@{multiarch}/libc-*.so* mr,
        /lib{,32,64}/libld-*.so* mr,
        /lib/@{multiarch}/libld-*.so* mr,
        /lib{,32,64}/ld-*.so* mr,
        /lib/@{multiarch}/ld-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
        /usr/lib/libstdc++.so* mr,
        /etc/ld.so.cache r,
    
        # Required for dropping into PID namespace. Keep in mind that until the
        # process drops this capability it can escape confinement, but once it
        # drops CAP_SYS_ADMIN we are ok.
        capability sys_admin,
    
        # All of these are for sanely dropping from root and chrooting
        capability chown,
        capability fsetid,
        capability setgid,
        capability setuid,
        capability dac_override,
        capability sys_chroot,
    
        # *Sigh*
        capability sys_ptrace,
    
        @{PROC}/ r,
        @{PROC}/[0-9]*/ r,
        @{PROC}/[0-9]*/fd/ r,
        @{PROC}/[0-9]*/oom_adj w,
        @{PROC}/[0-9]*/oom_score_adj w,
        @{PROC}/[0-9]*/task/[0-9]*/stat r,
    
        /usr/bin/chromium-browser r,
        /usr/lib/chromium-browser/chromium-browser Px,
        /usr/lib/chromium-browser/chromium-browser-sandbox r,
    
        owner /tmp/** rw,
      }
    }
    Any help?
    Read my technology blog at: http://penguincampaigner.wordpress.com

  2. #2
    Join Date
    Mar 2011
    Beans
    701

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    If you're not receiving anything through aa-logprof delete any 'deny' rules.
    sig

  3. #3
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    If you're not receiving anything through aa-logprof delete any 'deny' rules.
    Do you know of any Chromium (or Chrome) profiles that will actually work? Ideally, ones that will allow me to download to specific folders...
    Read my technology blog at: http://penguincampaigner.wordpress.com

  4. #4
    Join Date
    Mar 2011
    Beans
    701

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

    edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.

    # Last Modified: Wed May 16 23:18:45 2012
    #include <tunables/global>

    /opt/google/chrome/chrome-sandbox {
    #include <abstractions/base>
    #include <abstractions/ubuntu-konsole>

    capability chown,
    capability dac_override,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability sys_admin,
    capability sys_chroot,
    capability sys_ptrace,



    /etc/ld.so.cache r,
    /home/*/.config/google-chrome/Default/** rwk,
    /home/*/.config/google-chrome/Dictionaries/* r,
    "/home/*/.config/google-chrome/Profile 1/Pepper Data/**" w,
    /home/documents/ r,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib/libgcc_s.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /opt/google/** mr,
    /opt/google/chrome/ r,
    /opt/google/chrome/chrome rix,
    /opt/google/chrome/chrome-sandbox r,
    /opt/google/chrome/google-chrome r,
    /opt/google/chrome/nacl_helper_bootstrap px,
    /proc/ r,
    /proc/*/ r,
    /proc/*/fd/ r,
    /proc/*/oom_score_adj w,
    /proc/*/status r,
    /proc/sys/kernel/shmmax r,
    /run/shm/* rw,
    /sys/devices/system/cpu/** r,
    /usr/lib/libstdc++.so* mr,
    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,

    }
    # Last Modified: Wed May 16 23:18:45 2012
    #include <tunables/global>

    /opt/google/chrome/google-chrome {
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/bash>
    #include <abstractions/cups-client>
    #include <abstractions/dbus-session>
    #include <abstractions/fonts>
    #include <abstractions/freedesktop.org>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/nvidia>
    #include <abstractions/ubuntu-konsole>
    #include <abstractions/user-tmp>

    deny capability dac_override,
    deny capability dac_read_search,

    capability ipc_lock,
    capability sys_ptrace,

    network inet stream,
    network inet6 stream,

    deny /media/truecrypt1/ r,
    /home/*/Documents/Misc/** r,
    /bin/bash rix,
    /bin/dash rix,
    /bin/grep rix,
    /bin/mkdir rix,
    /bin/mv rix,
    /bin/ps rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/touch rix,
    /bin/which rix,
    /dev/ r,
    /dev/video0 r,
    /etc/ati/amdpcsdb.default r,
    /etc/ati/atiogl.xml r,
    /etc/lsb-release r,
    /etc/passwd m,
    /etc/python2.7/sitecustomize.py r,
    owner /home/*/.adobe/** rwk,
    owner /home/*/.cache/dconf/user rwk,
    owner /home/*/.cache/google-chrome/** rwk,
    owner /home/*/.config/autostart/google-chrome.desktop rwk,
    owner /home/*/.config/dconf/user r,
    owner /home/*/.config/google-chrome/ rwk,
    owner /home/*/.config/google-chrome/** rwk,
    /home/*/.fontconfig/** rk,
    owner /home/*/.local/share/applications/* rwk,
    /home/*/.macromedia/** rk,
    /home/*/.mozilla/firefox/** r,
    /home/*/.pki/nssdb/** rwk,
    /home/*/.thumbnails/normal/* r,
    owner /opt/google/** rk,
    owner /opt/google/chrome/* mrk,
    /opt/google/chrome/PepperFlash/* mrk,
    /opt/google/chrome/chrome rix,
    /opt/google/chrome/chrome-sandbox px,
    /opt/google/chrome/google-chrome rix,
    /opt/google/chrome/xdg-settings rix,
    /proc/ r,
    /proc/*/fd/ r,
    /proc/*/io r,
    /proc/*/oom_score_adj w,
    /proc/*/statm r,
    /proc/*/task/ r,
    /proc/ati/major r,
    /proc/sys/kernel/pid_max r,
    /proc/tty/drivers r,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
    /proc/uptime r,
    /proc/version r,
    /root/.local/share/Trash/files/* rwk,
    /root/.local/share/Trash/files/** rwk,
    /run/shm/* mrw,
    /selinux/ r,
    /sys/bus/pci/devices/ r,
    /sys/devices/** r,
    owner /tmp/** mlk,
    /tmp/** rw,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/dirname rix,
    /usr/bin/file-roller rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/gvfs-open rix,
    /usr/bin/lsb_release rix,
    /usr/bin/mawk rix,
    /usr/bin/nautilus rix,
    /usr/bin/transmission-gtk px,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-open rix,
    /usr/bin/xdg-settings rix,
    /usr/include/python2.7/pyconfig.h r,
    /usr/lib{,32,64}/** mr,
    /usr/local/lib/python2.7/dist-packages/ r,
    /usr/share/fonts/**/*.pfb m,
    /usr/share/fonts/truetype/**/*.tt[cf] m,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/icons/**/*.cache m,
    /usr/share/mime/mime.cache m,
    /usr/share/pyshared/* r,
    owner /{dev,run}/shm/pulse-shm* m,
    owner @{HOME}/ r,
    owner @{HOME}/.local/share/mime/mime.cache m,
    owner @{HOME}/Downloads/ r,
    owner @{HOME}/Downloads/* rw,
    owner @{HOME}/Public/ r,
    owner @{HOME}/Public/* r,
    owner @{PROC}/[0-9]*/auxv r,
    @{PROC}/[0-9]*/net/if_inet6 r,
    @{PROC}/[0-9]*/net/ipv6_route r,

    }
    # Last Modified: Sat Mar 31 04:24:18 2012
    #include <tunables/global>

    /opt/google/chrome/nacl_helper_bootstrap {
    #include <abstractions/base>


    deny capability dac_override,
    deny capability dac_read_search,
    deny capability chown,
    deny capability fsetid,
    deny capability setgid,
    deny capability setuid,
    deny capability sys_admin,
    deny capability sys_chroot,
    deny capability sys_ptrace,


    /opt/google/chrome/nacl_helper mr,
    /opt/google/chrome/nacl_irt_x86_64.nexe r,
    /run/shm/* mrw,
    /sys/devices/system/cpu/cpu0/** r,
    /tmp/* r,

    }
    Feel free to edit as you like.
    Last edited by Hungry Man; July 2nd, 2012 at 08:19 PM.
    sig

  5. #5
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

    edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.







    Feel free to edit as you like.
    I assume this profile limits downloads to the "Downloads" folder? If so, would adding: something like ~/Music in @HOME work?
    Read my technology blog at: http://penguincampaigner.wordpress.com

  6. #6
    Join Date
    Mar 2011
    Beans
    701

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    @{HOME}/Downloads/ rwk,
    @{HOME}/Downloads/Music rwk,

    That's all you need.

    You can use an owner tag to limit it to being only able to write to files it owns in those folders.
    sig

  7. #7
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    @{HOME}/Downloads/ rwk,
    @{HOME}/Downloads/Music rwk,

    That's all you need.

    You can use an owner tag to limit it to being only able to write to files it owns in those folders.
    Thanks, I'll get down to it soon.

    EDIT:UPDATE: I've got the profile running for Chrome. Here's what I did:
    Code:
    sudo -i
    cd /etc/apparmor.d
    nano opt.google.chrome.chrome-sandbox
    #Copied profile
    Ctrl+Shift+V
    Ctr+X
    y
    [ENTER]
     nano opt.google.chrome.google-chrome
    #same as above, here was the final profile:
    # Last Modified: Wed May 16 23:18:45 2012
    #include <tunables/global>
    
    /opt/google/chrome/google-chrome {
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/bash>
    #include <abstractions/cups-client>
    #include <abstractions/dbus-session>
    #include <abstractions/fonts>
    #include <abstractions/freedesktop.org>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/nvidia>
    #include <abstractions/ubuntu-konsole>
    #include <abstractions/user-tmp>
    
    deny capability dac_override,
    deny capability dac_read_search,
    
    capability ipc_lock,
    capability sys_ptrace,
    
    network inet stream,
    network inet6 stream,
    
    deny /media/truecrypt1/ r,
    /home/*/Documents/Misc/** r,
    /bin/bash rix,
    /bin/dash rix,
    /bin/grep rix,
    /bin/mkdir rix,
    /bin/mv rix,
    /bin/ps rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/touch rix,
    /bin/which rix,
    /dev/ r,
    /dev/video0 r,
    /etc/ati/amdpcsdb.default r,
    /etc/ati/atiogl.xml r,
    /etc/lsb-release r,
    /etc/passwd m,
    /etc/python2.7/sitecustomize.py r,
    owner /home/*/.adobe/** rwk,
    owner /home/*/.cache/dconf/user rwk,
    owner /home/*/.cache/google-chrome/** rwk,
    owner /home/*/.config/autostart/google-chrome.desktop rwk,
    owner /home/*/.config/dconf/user r,
    owner /home/*/.config/google-chrome/ rwk,
    owner /home/*/.config/google-chrome/** rwk,
    /home/*/.fontconfig/** rk,
    owner /home/*/.local/share/applications/* rwk,
    /home/*/.macromedia/** rk,
    /home/*/.mozilla/firefox/** r,
    /home/*/.pki/nssdb/** rwk,
    /home/*/.thumbnails/normal/* r,
    owner /opt/google/** rk,
    owner /opt/google/chrome/* mrk,
    /opt/google/chrome/PepperFlash/* mrk,
    /opt/google/chrome/chrome rix,
    /opt/google/chrome/chrome-sandbox px,
    /opt/google/chrome/google-chrome rix,
    /opt/google/chrome/xdg-settings rix,
    /proc/ r,
    /proc/*/fd/ r,
    /proc/*/io r,
    /proc/*/oom_score_adj w,
    /proc/*/statm r,
    /proc/*/task/ r,
    /proc/ati/major r,
    /proc/sys/kernel/pid_max r,
    /proc/tty/drivers r,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
    /proc/uptime r,
    /proc/version r,
    /root/.local/share/Trash/files/* rwk,
    /root/.local/share/Trash/files/** rwk,
    /run/shm/* mrw,
    /selinux/ r,
    /sys/bus/pci/devices/ r,
    /sys/devices/** r,
    owner /tmp/** mlk,
    /tmp/** rw,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/dirname rix,
    /usr/bin/file-roller rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/gvfs-open rix,
    /usr/bin/lsb_release rix,
    /usr/bin/mawk rix,
    /usr/bin/nautilus rix,
    /usr/bin/transmission-gtk px,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-open rix,
    /usr/bin/xdg-settings rix,
    /usr/include/python2.7/pyconfig.h r,
    /usr/lib{,32,64}/** mr,
    /usr/local/lib/python2.7/dist-packages/ r,
    /usr/share/fonts/**/*.pfb m,
    /usr/share/fonts/truetype/**/*.tt[cf] m,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/icons/**/*.cache m,
    /usr/share/mime/mime.cache m,
    /usr/share/pyshared/* r,
    owner /{dev,run}/shm/pulse-shm* m,
    owner @{HOME}/ r,
    owner @{HOME}/.local/share/mime/mime.cache m,
    owner @{HOME}/Downloads/ r,
    owner @{HOME}/Downloads/* rw,
    owner @{HOME}/Music/* rw
    owner @{HOME}/Documents/* rw
    owner @{HOME}/Software/* rw
    owner @{HOME}/Pictures/* rw
    owner @{HOME}/Videos/* rw
    owner @{HOME}/Dangerous/* rw
    owner @{HOME}/Public/ r,
    owner @{HOME}/Public/* r,
    owner @{PROC}/[0-9]*/auxv r,
    @{PROC}/[0-9]*/net/if_inet6 r,
    @{PROC}/[0-9]*/net/ipv6_route r,
    
    }
    nano opt.google.chrome.nacl_helper_bootstrap
    #same as first
    aa-enforce  opt.google.chrome.chrome-sandbox  opt.google.chrome.google-chrome opt.google.chrome.nacl_helper_bootstrap 
    #Got this error:
    Setting /etc/apparmor.d/opt.google.chrome.chrome-sandbox to enforce mode.
    Setting /etc/apparmor.d/opt.google.chrome.google-chrome to enforce mode.
    Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
    AppArmor parser error,  in stdin line 114: syntax error, unexpected TOK_OWNER, expecting TOK_END_OF_RULE
    Chrome seems to start.
    Gnome system monitor shows it as enforced. Loading pages are working. Downloads to Downloads, Music, Pictures, Videos, Dangerous, and Documents all work.
    Last edited by 0011235813; July 2nd, 2012 at 10:00 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  8. #8
    Join Date
    Mar 2011
    Location
    South Korea
    Beans
    289
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Apparmor is a bug(/etc/init.d/apparmor restart) Contamination. ->google-chrome Profiles
    This bug.
    This is a bug that only works when you first start.

    Apparmor..-> Do not run. -> -> #sudo /etc/init.d/apparmor restart# Do not ever run.
    If you need to run the data are contaminated. -> opt.google.chrome.google-chrome
    apparmor Profiles
    Contaminated data
    Can not be recovered.
    Must be completely rewritten.

    First, please back up your data
    #backup
    Code:
    mkdir -p ~/test
    sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/
    sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/test
    # Point
    # Must be deleted. king bug.. n,.n
    # remove file clean
    Code:
    sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome
    sudo /etc/init.d/apparmor restart
    # edit
    Code:
    sudo nano ~/opt.google.chrome.google-chrome
    # my Core
    Code:
    /sys/devices/system/cpu/cpu*/cpufreq/* r,
    /dev/null rw,
    /proc/*/** r,
    # you core
    Code:
    owner @{HOME}/Downloads/ rwk,
    owner @{HOME}/Downloads/** rwk,
    owner @{HOME}/Downloads/Music rwk,
    owner @{HOME}/Downloads/Music/** rwk,
    Code:
    sudo cp -f ~/opt.google.chrome.google-chrome /etc/apparmor.d
    sudo /etc/init.d/apparmor restart
    #sudo /etc/init.d/apparmor restart#- > If you already use.
    Write a completely new ...

    Code:
    sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome
    sudo /etc/init.d/apparmor restart
    new file write and..
    copy you file.. -> /etc/apparmor.d

    and..
    sudo /etc/init.d/apparmor restart


    [opt.google.chrome.chrome-sandbox] This issue is bogus.
    Bogus log

    I find this problem ... It took a long time



    If you have used. /etc/init.d/apparmor restart
    Due to a bug

    May seem normal. ->file.. opt.google.chrome.google-chrome
    but.. Is not normal.
    remove file..



    If you modify the same way as above normal.
    Work without any problem.

    When you modify the same applies to normal again.
    The first problem is that if the program works.
    Last edited by oklokl; July 3rd, 2012 at 07:16 AM.

  9. #9
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by oklokl View Post
    Apparmor is a bug(/etc/init.d/apparmor restart) Contamination. ->google-chrome Profiles
    This bug.
    This is a bug that only works when you first start.

    Apparmor..-> Do not run. -> -> #sudo /etc/init.d/apparmor restart# Do not ever run.
    If you need to run the data are contaminated. -> opt.google.chrome.google-chrome
    apparmor Profiles
    Contaminated data
    Can not be recovered.
    Must be completely rewritten.

    First, please back up your data
    #backup
    Code:
    mkdir -p ~/test
    sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/
    sudo cp -f /etc/apparmor.d/opt.google.chrome.google-chrome ~/test
    # Point
    # Must be deleted. king bug.. n,.n
    # remove file clean
    Code:
    sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome
    sudo /etc/init.d/apparmor restart
    # edit
    Code:
    sudo nano ~/opt.google.chrome.google-chrome
    # my Core
    Code:
    /sys/devices/system/cpu/cpu*/cpufreq/* r,
    /dev/null rw,
    /proc/*/** r,
    # you core
    Code:
    owner @{HOME}/Downloads/ rwk,
    owner @{HOME}/Downloads/** rwk,
    owner @{HOME}/Downloads/Music rwk,
    owner @{HOME}/Downloads/Music/** rwk,
    Code:
    sudo cp -f ~/opt.google.chrome.google-chrome /etc/apparmor.d
    sudo /etc/init.d/apparmor restart
    #sudo /etc/init.d/apparmor restart#- > If you already use.
    Write a completely new ...

    Code:
    sudo rm -f /etc/apparmor.d/opt.google.chrome.google-chrome
    sudo /etc/init.d/apparmor restart
    new file write and..
    copy you file.. -> /etc/apparmor.d

    and..
    sudo /etc/init.d/apparmor restart


    [opt.google.chrome.chrome-sandbox] This issue is bogus.
    Bogus log

    I find this problem ... It took a long time



    If you have used. /etc/init.d/apparmor restart
    Due to a bug

    May seem normal. ->file.. opt.google.chrome.google-chrome
    but.. Is not normal.
    remove file..



    If you modify the same way as above normal.
    Work without any problem.

    When you modify the same applies to normal again.
    The first problem is that if the program works.
    Sorry, but I don't seem to understand what you're trying to say. Is there some sort of bug with Chrome when restrating apparmor? Please, I'm confused... Perhaps English is not your native language? It's not mine either, but I'm afraid I don't speak Korean. Do you have anyone that can help you translate?
    Read my technology blog at: http://penguincampaigner.wordpress.com

  10. #10
    Join Date
    Mar 2011
    Location
    South Korea
    Beans
    289
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Wink Re: I Still Can't Get The Chromium Apparmor Profile to work!

    profile -> Is changed due to a bug
    Chromium

    Only occurs once.

    You must remove the faulty file.
    and..
    sudo /etc/init.d/apparmor restart
    and..
    And create a new profile(opt.google.chrome.google-chrome)
    Insert
    and..
    sudo /etc/init.d/apparmor restart

    See the command above.
    Answers can be found.
    Last edited by oklokl; July 4th, 2012 at 01:07 AM.

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •