From 84f3f947cb343c81af50d2cc1868260c7c8ab846 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 13 Sep 2025 01:11:18 +0200
Subject: [PATCH] feat(abs): improve chromium common.

---
 apparmor.d/abstractions/common/chromium | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium
index 340092f23..23f4544a3 100644
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@@ -17,9 +17,14 @@
 
   userns,
 
+  # Required for dropping into PID namespace. Keep in mind that until the
+  # process drops this capability it can escape confinement, but once it
+  # drops CAP_SYS_ADMIN we are ok.
+  capability sys_admin,
+
+  # All of these are for sanely dropping from root and chrooting
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1
-  capability sys_admin,
   capability sys_chroot,
   capability sys_ptrace,
 
@@ -33,20 +38,22 @@
 
   owner @{tmp}/.@{domain}.@{rand6} rw,
   owner @{tmp}/.@{domain}.@{rand6}/ rw,
-  owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
-  owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw,
   owner @{tmp}/scoped_dir@{rand6}/ rw,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
-  owner @{tmp}/scoped_dir@{rand6}/SS w,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw,
+  owner @{tmp}/scoped_dir@{rand6}/SS rw,
 
         /dev/shm/ r,
   owner /dev/shm/.@{domain}.@{rand6} rw,
 
   @{sys}/devices/system/cpu/kernel_max r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
+
+  # Allow getting the manufacturer and model of the computer where chromium is currently running.
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
   # If kernel.unprivileged_userns_clone = 1
   owner @{PROC}/@{pid}/setgroups w,