/etc/apparmor.d/usr.bin.chromium-browser is in apparmor-profiles 2.7.103-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 | # Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
# We need 'flags=(attach_disconnected)' in newer chromium versions
/usr/lib/chromium-browser/chromium-browser flags=(complain,attach_disconnected) {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
# This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
# you want access to productivity applications, adjust the following file
# accordingly.
#include <abstractions/ubuntu-browsers.d/chromium-browser>
# Networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
# Should maybe be in abstractions
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/filesystems r,
@{PROC}/ r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
owner @{PROC}/[0-9]*/cmdline r,
owner @{PROC}/[0-9]*/io r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/status r,
# Newer chromium needs these now
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/auxv r,
# chromium mmaps all kinds of things for speed.
/etc/passwd m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/fonts/**/*.pfb m,
/usr/share/mime/mime.cache m,
/usr/share/icons/**/*.cache m,
owner /{dev,run}/shm/pulse-shm* m,
owner @{HOME}/.local/share/mime/mime.cache m,
owner /tmp/** m,
@{PROC}/sys/kernel/shmmax r,
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
/usr/lib/chromium-browser/*.pak mr,
/usr/lib/chromium-browser/locales/* mr,
# Noisy
deny /usr/lib/chromium-browser/** w,
# Make browsing directories work
/ r,
/**/ r,
# Allow access to documentation and other files the user may want to look
# at in /usr
/usr/{include,share,src}** r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# Helpers
/usr/bin/xdg-open ixr,
/usr/bin/gnome-open ixr,
/usr/bin/gvfs-open ixr,
# TODO: kde, xfce
# Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
# which is provided by abstractions/ubuntu-browsers.d/user-files).
@{PROC}/[0-9]*/oom_{,score_}adj w,
/etc/firefox/profile/bookmarks.html r,
owner @{HOME}/.mozilla/** k,
# Chromium configuration
owner @{HOME}/.pki/nssdb/* rwk,
owner @{HOME}/.cache/chromium/ rw,
owner @{HOME}/.cache/chromium/** rw,
owner @{HOME}/.cache/chromium/Cache/* mr,
owner @{HOME}/.config/chromium/ rw,
owner @{HOME}/.config/chromium/** rwk,
owner @{HOME}/.config/chromium/**/Cache/* mr,
owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
# Allow transitions to ourself and our sandbox
/usr/lib/chromium-browser/chromium-browser ix,
/usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
# TODO: child profile
/bin/ps Uxr,
/usr/lib/chromium-browser/xdg-settings Ux,
/usr/bin/xdg-settings Ux,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.chromium-browser>
profile chromium_browser_sandbox flags=(complain) {
# Be fanatical since it is setuid root and don't use an abstraction
/lib/libgcc_s.so* mr,
/lib{,32,64}/libm-*.so* mr,
/lib/@{multiarch}/libm-*.so* mr,
/lib{,32,64}/libpthread-*.so* mr,
/lib/@{multiarch}/libpthread-*.so* mr,
/lib{,32,64}/libc-*.so* mr,
/lib/@{multiarch}/libc-*.so* mr,
/lib{,32,64}/libld-*.so* mr,
/lib/@{multiarch}/libld-*.so* mr,
/lib{,32,64}/ld-*.so* mr,
/lib/@{multiarch}/ld-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/usr/lib/libstdc++.so* mr,
/etc/ld.so.cache r,
# Required for dropping into PID namespace. Keep in mind that until the
# process drops this capability it can escape confinement, but once it
# drops CAP_SYS_ADMIN we are ok.
capability sys_admin,
# All of these are for sanely dropping from root and chrooting
capability chown,
capability fsetid,
capability setgid,
capability setuid,
capability dac_override,
capability sys_chroot,
# *Sigh*
capability sys_ptrace,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/oom_adj w,
@{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
/usr/bin/chromium-browser r,
/usr/lib/chromium-browser/chromium-browser Px,
/usr/lib/chromium-browser/chromium-browser-sandbox r,
owner /tmp/** rw,
}
}
|