From fe59b4d3f876447fbac1771a5483f03930839dc0 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 4 Sep 2022 19:25:26 +0000 Subject: [PATCH] Delete lightdm_chromium-browser --- .../abstractions/lightdm_chromium-browser | 76 ------------------- 1 file changed, 76 deletions(-) delete mode 100644 apparmor.d/abstractions/lightdm_chromium-browser diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser deleted file mode 100644 index 0547de064..000000000 --- a/apparmor.d/abstractions/lightdm_chromium-browser +++ /dev/null @@ -1,76 +0,0 @@ -# vim:syntax=apparmor -# Profile abstraction for restricting chromium in the lightdm guest session -# Author: Jamie Strandboge - -# The abstraction provides the additional accesses required to launch -# chromium based browsers from within an lightdm session. Because AppArmor -# cannot yet merge profiles and because we want to utilize the access rules -# provided in abstractions/lightdm, this abstraction must be separate from -# abstractions/lightdm. - -# Requires apparmor 2.9 - - /usr/lib/chromium/chromium Cx -> chromium, - /usr/lib/chromium-browser/chromium-browser Cx -> chromium, - /usr/bin/webapp-container Cx -> chromium, - /usr/bin/webbrowser-app Cx -> chromium, - /usr/bin/ubuntu-html5-app-launcher Cx -> chromium, - /opt/google/chrome-stable/google-chrome-stable Cx -> chromium, - /opt/google/chrome-beta/google-chrome-beta Cx -> chromium, - /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium, - /opt/google/chrome/google-chrome Cx -> chromium, - - # Allow ptracing processes in the chromium child profile - ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium, - - # Allow receiving and sending signals to processes in the chromium child profile - signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, - - # Allow communications with chromium child profile via unix sockets - unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium), - - profile chromium { - # Allow all the same accesses as other applications in the guest session - include - - # but also allow a few things because of chromium-browser's sandboxing that - # are not appropriate to other guest session applications. - owner @{PROC}/[0-9]*/oom_{,score_}adj w, - @{PROC}/sys/kernel/shmmax r, - capability sys_admin, # for sandbox to change namespaces - capability sys_chroot, # fod sandbox to chroot to a safe directory - capability setgid, # for sandbox to drop privileges - capability setuid, # for sandbox to drop privileges - capability sys_ptrace, # chromium needs this to keep track of itself - @{PROC}/sys/kernel/yama/ptrace_scope r, - - # Allow ptrace reads of processes in the lightdm-guest-session - ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session, - # Allow other guest session processes to read and trace us - ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session, - ptrace (readby, tracedby) peer=@{profile_name}, - - # Allow us to receive and send signals from processes in the - # lightdm-guest-session - signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session, - - # Allow us to receive and send on unix sockets from processes in the - # lightdm-guest-session - unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session), - - @{PROC}/[0-9]*/ r, # sandbox wants these - @{PROC}/[0-9]*/fd/ r, # sandbox wants these - @{PROC}/[0-9]*/statm r, # sandbox wants these - @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these - - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/uid_map w, - owner @{PROC}/@{pid}/gid_map w, - - /selinux/ r, - - /usr/lib/chromium/chrome-sandbox ix, - /usr/lib/chromium-browser/chromium-browser-sandbox ix, - /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix, - /opt/google/chrome-*/chrome-sandbox ix, - }