Hi Daniel, On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote: > On Fri, 2017 Sep 29 00:18+0200, Guido Günther wrote: > > > > Attaching to this the report is fine. I can handle it from there. > > Okay, greatly appreciated. My current profile is attached. Please Cc: me > on the new bug report. > > As it happens, this file is identical to the current version of the > profile in the apparmor-profiles Git repository, with the exception of > the Debian alias lines. > > It seems that the AppArmor folks accepted my changes in the merge > request, not by approving the merge, but by applying the changes to a > new version-specific copy in the repo. They added a few more things of > their own, which I have in turn merged into my/this copy. > > I never heard anything from them about this, however; I learned about > this only now that I diffed my profile with their latest. Their process > could certainly stand to be more transparent.
> # Author: Jamie Strandboge <ja...@canonical.com> > #include <tunables/global> > > # Debian compatibility aliases > # https://bugs.debian.org/742829 > # > alias /etc/chromium-browser/ -> /etc/chromium/, > alias /usr/bin/chromium-browser -> /usr/bin/chromium, > alias /usr/lib/chromium-browser/chromium-browser-sandbox -> > /usr/lib/chromium/chrome-sandbox, > alias /usr/lib/chromium-browser/chromium-browser -> > /usr/lib/chromium/chromium, > alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, > > # We need 'flags=(attach_disconnected)' in newer chromium versions > /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { > #include <abstractions/audio> > #include <abstractions/cups-client> > #include <abstractions/dbus-session> > #include <abstractions/dbus-strict> > #include <abstractions/gnome> > #include <abstractions/ibus> > #include <abstractions/nameservice> > #include <abstractions/user-tmp> > > # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if > # you want access to productivity applications, adjust the following file > # accordingly. > #include <abstractions/ubuntu-browsers.d/chromium-browser> This file is currently not included in Debian's apparmor package. @intrigeri, can this be added? I assume we don't want other packages to mess around in abstractions? If not I can pull the code from that file into the profile. I'm attaching a patch against chromium here for reference. Cheers, -- Guido > > # Networking > network inet stream, > network inet6 stream, > @{PROC}/[0-9]*/net/if_inet6 r, > @{PROC}/[0-9]*/net/ipv6_route r, > > # Should maybe be in abstractions > /etc/mime.types r, > /etc/mailcap r, > /etc/mtab r, > /etc/xdg/xubuntu/applications/defaults.list r, > owner @{HOME}/.local/share/applications/defaults.list r, > owner @{HOME}/.local/share/applications/mimeinfo.cache r, > > @{PROC}/[0-9]*/fd/ r, > @{PROC}/filesystems r, > @{PROC}/ r, > @{PROC}/[0-9]*/task/[0-9]*/stat r, > owner @{PROC}/[0-9]*/cmdline r, > owner @{PROC}/[0-9]*/io r, > owner @{PROC}/[0-9]*/setgroups w, > owner @{PROC}/[0-9]*/{uid,gid}_map w, > @{PROC}/[0-9]*/smaps r, > owner @{PROC}/[0-9]*/stat r, > @{PROC}/[0-9]*/statm r, > owner @{PROC}/[0-9]*/status r, > owner @{PROC}/[0-9]*/task/[0-9]*/status r, > deny @{PROC}/[0-9]*/oom_{,score_}adj w, > @{PROC}/sys/kernel/yama/ptrace_scope r, > @{PROC}/sys/net/ipv4/tcp_fastopen r, > > # Newer chromium needs these now > /etc/udev/udev.conf r, > /sys/devices/**/uevent r, > /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, > /sys/devices/system/node/node*/meminfo r, > /sys/devices/pci[0-9]*/**/class r, > /sys/devices/pci[0-9]*/**/device r, > /sys/devices/pci[0-9]*/**/irq r, > /sys/devices/pci[0-9]*/**/resource r, > /sys/devices/pci[0-9]*/**/vendor r, > /sys/devices/pci[0-9]*/**/removable r, > /sys/devices/pci[0-9]*/**/block/**/size r, > /sys/devices/virtual/block/**/removable r, > /sys/devices/virtual/block/**/size r, > /sys/devices/virtual/tty/tty*/active r, > # This is requested, but doesn't seem to actually be needed so deny for now > deny /run/udev/data/** r, > > # Needed for the crash reporter > owner @{PROC}/[0-9]*/auxv r, > > # chromium mmaps all kinds of things for speed. > /etc/passwd m, > /usr/share/fonts/truetype/**/*.tt[cf] m, > /usr/share/fonts/**/*.pfb m, > /usr/share/mime/mime.cache m, > /usr/share/icons/**/*.cache m, > owner /{dev,run}/shm/pulse-shm* m, > owner @{HOME}/.local/share/mime/mime.cache m, > owner /tmp/** m, > > @{PROC}/sys/kernel/shmmax r, > owner /{dev,run}/shm/{,.}org.chromium.* mrw, > owner /{,var/}run/shm/shmfd-* mrw, > > /usr/lib/chromium-browser/*.pak mr, > /usr/lib/chromium-browser/locales/* mr, > > # Noisy > deny /usr/lib/chromium-browser/** w, > > capability sys_admin, > capability sys_chroot, > capability sys_ptrace, > > # Allow ptracing ourselves > ptrace (trace) peer=@{profile_name}, > > # Make browsing directories work > / r, > /**/ r, > > # Allow access to documentation and other files the user may want to look > # at in /usr > /usr/{include,share,src}** r, > > # Default profile allows downloads to ~/Downloads and uploads from ~/Public > owner @{HOME}/ r, > owner @{HOME}/Public/ r, > owner @{HOME}/Public/* r, > owner @{HOME}/Downloads/ r, > owner @{HOME}/Downloads/* rw, > > # For migration > owner @{HOME}/.mozilla/firefox/profiles.ini r, > owner @{HOME}/.mozilla/firefox/*/prefs.js r, > > # Helpers > /usr/bin/xdg-open ixr, > /usr/bin/gnome-open ixr, > /usr/bin/gvfs-open ixr, > /usr/bin/kdialog ixr, > # TODO: xfce > > # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** > # which is provided by abstractions/ubuntu-browsers.d/user-files). > /etc/firefox/profile/bookmarks.html r, > owner @{HOME}/.mozilla/** k, > > # Chromium Policies > /etc/chromium-browser/policies/** r, > > # Chromium configuration > owner @{HOME}/.pki/nssdb/* rwk, > owner @{HOME}/.cache/chromium/ rw, > owner @{HOME}/.cache/chromium/** rw, > owner @{HOME}/.cache/chromium/Cache/* mr, > owner @{HOME}/.config/chromium/ rw, > owner @{HOME}/.config/chromium/** rwk, > owner @{HOME}/.config/chromium/**/Cache/* mr, > owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, > owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, > > # Allow transitions to ourself and our sandbox > /usr/lib/chromium-browser/chromium-browser ix, > /usr/lib/chromium-browser/chromium-browser-sandbox cx -> > chromium_browser_sandbox, > /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, > > # Allow communicating with sandbox > unix (receive, send) > peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), > > /{usr/,}bin/ps Uxr, > /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, > /usr/bin/xdg-settings Cxr -> xdgsettings, > /usr/bin/lsb_release Cxr -> lsb_release, > > # GSettings > owner /{,var/}run/user/*/dconf/ rw, > owner /{,var/}run/user/*/dconf/user rw, > owner @{HOME}/.config/dconf/user r, > > profile xdgsettings { > #include <abstractions/bash> > #include <abstractions/gnome> > > /{usr/,}bin/dash ixr, > > /etc/ld.so.cache r, > /etc/xdg/** r, > /usr/bin/xdg-settings r, > /usr/lib/chromium-browser/xdg-settings r, > /usr/share/applications/*.desktop r, > > # Checking default browser > /{usr/,}bin/grep ixr, > /{usr/,}bin/readlink ixr, > /{usr/,}bin/sed ixr, > /{usr/,}bin/which ixr, > /usr/bin/basename ixr, > /usr/bin/cut ixr, > > # Setting the default browser > /{usr/,}bin/mkdir ixr, > /{usr/,}bin/mv ixr, > /{usr/,}bin/touch ixr, > /usr/bin/dirname ixr, > /usr/bin/gconftool-2 ix, > /usr/bin/[gm]awk ixr, > /usr/bin/xdg-mime ixr, > owner @{HOME}/.local/share/applications/ w, > owner @{HOME}/.local/share/applications/mimeapps.list* rw, > } > > profile lsb_release { > #include <abstractions/base> > #include <abstractions/python> > /usr/bin/lsb_release r, > /{usr/,}bin/dash ixr, > /usr/bin/dpkg-query ixr, > /usr/include/python2.[4567]/pyconfig.h r, > /etc/lsb-release r, > /etc/debian_version r, > /etc/dpkg/origins/** r, > /usr/share/distro-info/** r, > /var/lib/dpkg/** r, > > /usr/local/lib/python3.[0-9]/dist-packages/ r, > /usr/bin/ r, > /usr/bin/python3.[0-9] mr, > } > > > # Site-specific additions and overrides. See local/README for details. > #include <local/usr.bin.chromium-browser> > > profile chromium_browser_sandbox { > # Be fanatical since it is setuid root and don't use an abstraction > /{usr/,}lib/libgcc_s.so* mr, > /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, > /{usr/,}lib{,32,64}/libm-*.so* mr, > /{usr/,}lib/@{multiarch}/libm-*.so* mr, > /{usr/,}lib{,32,64}/libpthread-*.so* mr, > /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, > /{usr/,}lib{,32,64}/libc-*.so* mr, > /{usr/,}lib/@{multiarch}/libc-*.so* mr, > /{usr/,}lib{,32,64}/libld-*.so* mr, > /{usr/,}lib/@{multiarch}/libld-*.so* mr, > /{usr/,}lib{,32,64}/ld-*.so* mr, > /{usr/,}lib/@{multiarch}/ld-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, > /usr/lib/libstdc++.so* mr, > /usr/lib/@{multiarch}/libstdc++.so* mr, > /etc/ld.so.cache r, > > # Required for dropping into PID namespace. Keep in mind that until the > # process drops this capability it can escape confinement, but once it > # drops CAP_SYS_ADMIN we are ok. > capability sys_admin, > > # All of these are for sanely dropping from root and chrooting > capability chown, > capability fsetid, > capability setgid, > capability setuid, > capability dac_override, > capability sys_chroot, > > capability sys_ptrace, > ptrace (read, readby), > > signal (receive) peer=unconfined, > signal peer=@{profile_name}, > signal (receive, send) set=("exists"), > signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, > > unix (receive, send) > peer=(label=/usr/lib/chromium-browser/chromium-browser), > unix (create), > unix peer=(label=@{profile_name}), > unix (getattr, getopt, setopt, shutdown) addr=none, > > @{PROC}/ r, > @{PROC}/[0-9]*/ r, > @{PROC}/[0-9]*/fd/ r, > deny @{PROC}/[0-9]*/oom_adj w, > deny @{PROC}/[0-9]*/oom_score_adj w, > @{PROC}/[0-9]*/status r, > @{PROC}/[0-9]*/task/[0-9]*/stat r, > > /usr/bin/chromium-browser r, > /usr/lib/chromium-browser/chromium-browser Px, > /usr/lib/chromium-browser/chromium-browser-sandbox r, > /usr/lib/chromium-browser/chrome-sandbox mr, > > /dev/null rw, > > owner /tmp/** rw, > } > }
>From 63a384fd9ca7f127df5b37c13ccafe22c01e90cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> Date: Sat, 30 Sep 2017 11:26:15 +0200 Subject: [PATCH] Add apparmor profile The profile is based on the Ubuntu one and was provided by Daniel Richard G. --- debian/apparmor/usr.bin.chromium | 289 +++++++++++++++++++++++++++++++++++++++ debian/chromium.install | 2 + debian/control | 1 + debian/rules | 1 + 4 files changed, 293 insertions(+) create mode 100644 debian/apparmor/usr.bin.chromium diff --git a/debian/apparmor/usr.bin.chromium b/debian/apparmor/usr.bin.chromium new file mode 100644 index 0000000..ca924d0 --- /dev/null +++ b/debian/apparmor/usr.bin.chromium @@ -0,0 +1,289 @@ +# Author: Jamie Strandboge <ja...@canonical.com> +#include <tunables/global> + +# Debian compatibility aliases +# https://bugs.debian.org/742829 +# +alias /etc/chromium-browser/ -> /etc/chromium/, +alias /usr/bin/chromium-browser -> /usr/bin/chromium, +alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox, +alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium, +alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, + +# We need 'flags=(attach_disconnected)' in newer chromium versions +/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { + #include <abstractions/audio> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/dbus-strict> + #include <abstractions/gnome> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if + # you want access to productivity applications, adjust the following file + # accordingly. + #include <abstractions/ubuntu-browsers.d/chromium-browser> + + # Networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # Should maybe be in abstractions + /etc/mime.types r, + /etc/mailcap r, + /etc/mtab r, + /etc/xdg/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + @{PROC}/ r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/io r, + owner @{PROC}/[0-9]*/setgroups w, + owner @{PROC}/[0-9]*/{uid,gid}_map w, + @{PROC}/[0-9]*/smaps r, + owner @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/statm r, + owner @{PROC}/[0-9]*/status r, + owner @{PROC}/[0-9]*/task/[0-9]*/status r, + deny @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/net/ipv4/tcp_fastopen r, + + # Newer chromium needs these now + /etc/udev/udev.conf r, + /sys/devices/**/uevent r, + /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, + /sys/devices/system/node/node*/meminfo r, + /sys/devices/pci[0-9]*/**/class r, + /sys/devices/pci[0-9]*/**/device r, + /sys/devices/pci[0-9]*/**/irq r, + /sys/devices/pci[0-9]*/**/resource r, + /sys/devices/pci[0-9]*/**/vendor r, + /sys/devices/pci[0-9]*/**/removable r, + /sys/devices/pci[0-9]*/**/block/**/size r, + /sys/devices/virtual/block/**/removable r, + /sys/devices/virtual/block/**/size r, + /sys/devices/virtual/tty/tty*/active r, + # This is requested, but doesn't seem to actually be needed so deny for now + deny /run/udev/data/** r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/auxv r, + + # chromium mmaps all kinds of things for speed. + /etc/passwd m, + /usr/share/fonts/truetype/**/*.tt[cf] m, + /usr/share/fonts/**/*.pfb m, + /usr/share/mime/mime.cache m, + /usr/share/icons/**/*.cache m, + owner /{dev,run}/shm/pulse-shm* m, + owner @{HOME}/.local/share/mime/mime.cache m, + owner /tmp/** m, + + @{PROC}/sys/kernel/shmmax r, + owner /{dev,run}/shm/{,.}org.chromium.* mrw, + owner /{,var/}run/shm/shmfd-* mrw, + + /usr/lib/chromium-browser/*.pak mr, + /usr/lib/chromium-browser/locales/* mr, + + # Noisy + deny /usr/lib/chromium-browser/** w, + + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + + # Allow ptracing ourselves + ptrace (trace) peer=@{profile_name}, + + # Make browsing directories work + / r, + /**/ r, + + # Allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}** r, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Public/ r, + owner @{HOME}/Public/* r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/* rw, + + # For migration + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/prefs.js r, + + # Helpers + /usr/bin/xdg-open ixr, + /usr/bin/gnome-open ixr, + /usr/bin/gvfs-open ixr, + /usr/bin/kdialog ixr, + # TODO: xfce + + # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** + # which is provided by abstractions/ubuntu-browsers.d/user-files). + /etc/firefox/profile/bookmarks.html r, + owner @{HOME}/.mozilla/** k, + + # Chromium Policies + /etc/chromium-browser/policies/** r, + + # Chromium configuration + owner @{HOME}/.pki/nssdb/* rwk, + owner @{HOME}/.cache/chromium/ rw, + owner @{HOME}/.cache/chromium/** rw, + owner @{HOME}/.cache/chromium/Cache/* mr, + owner @{HOME}/.config/chromium/ rw, + owner @{HOME}/.config/chromium/** rwk, + owner @{HOME}/.config/chromium/**/Cache/* mr, + owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, + owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, + + # Allow transitions to ourself and our sandbox + /usr/lib/chromium-browser/chromium-browser ix, + /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, + /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, + + # Allow communicating with sandbox + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), + + /{usr/,}bin/ps Uxr, + /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, + /usr/bin/xdg-settings Cxr -> xdgsettings, + /usr/bin/lsb_release Cxr -> lsb_release, + + # GSettings + owner /{,var/}run/user/*/dconf/ rw, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + profile xdgsettings { + #include <abstractions/bash> + #include <abstractions/gnome> + + /{usr/,}bin/dash ixr, + + /etc/ld.so.cache r, + /etc/xdg/** r, + /usr/bin/xdg-settings r, + /usr/lib/chromium-browser/xdg-settings r, + /usr/share/applications/*.desktop r, + + # Checking default browser + /{usr/,}bin/grep ixr, + /{usr/,}bin/readlink ixr, + /{usr/,}bin/sed ixr, + /{usr/,}bin/which ixr, + /usr/bin/basename ixr, + /usr/bin/cut ixr, + + # Setting the default browser + /{usr/,}bin/mkdir ixr, + /{usr/,}bin/mv ixr, + /{usr/,}bin/touch ixr, + /usr/bin/dirname ixr, + /usr/bin/gconftool-2 ix, + /usr/bin/[gm]awk ixr, + /usr/bin/xdg-mime ixr, + owner @{HOME}/.local/share/applications/ w, + owner @{HOME}/.local/share/applications/mimeapps.list* rw, + } + + profile lsb_release { + #include <abstractions/base> + #include <abstractions/python> + /usr/bin/lsb_release r, + /{usr/,}bin/dash ixr, + /usr/bin/dpkg-query ixr, + /usr/include/python2.[4567]/pyconfig.h r, + /etc/lsb-release r, + /etc/debian_version r, + /etc/dpkg/origins/** r, + /usr/share/distro-info/** r, + /var/lib/dpkg/** r, + + /usr/local/lib/python3.[0-9]/dist-packages/ r, + /usr/bin/ r, + /usr/bin/python3.[0-9] mr, + } + + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.chromium-browser> + +profile chromium_browser_sandbox { + # Be fanatical since it is setuid root and don't use an abstraction + /{usr/,}lib/libgcc_s.so* mr, + /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, + /{usr/,}lib{,32,64}/libm-*.so* mr, + /{usr/,}lib/@{multiarch}/libm-*.so* mr, + /{usr/,}lib{,32,64}/libpthread-*.so* mr, + /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, + /{usr/,}lib{,32,64}/libc-*.so* mr, + /{usr/,}lib/@{multiarch}/libc-*.so* mr, + /{usr/,}lib{,32,64}/libld-*.so* mr, + /{usr/,}lib/@{multiarch}/libld-*.so* mr, + /{usr/,}lib{,32,64}/ld-*.so* mr, + /{usr/,}lib/@{multiarch}/ld-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, + /usr/lib/libstdc++.so* mr, + /usr/lib/@{multiarch}/libstdc++.so* mr, + /etc/ld.so.cache r, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting + capability chown, + capability fsetid, + capability setgid, + capability setuid, + capability dac_override, + capability sys_chroot, + + capability sys_ptrace, + ptrace (read, readby), + + signal (receive) peer=unconfined, + signal peer=@{profile_name}, + signal (receive, send) set=("exists"), + signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, + + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), + unix (create), + unix peer=(label=@{profile_name}), + unix (getattr, getopt, setopt, shutdown) addr=none, + + @{PROC}/ r, + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + deny @{PROC}/[0-9]*/oom_adj w, + deny @{PROC}/[0-9]*/oom_score_adj w, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /usr/bin/chromium-browser r, + /usr/lib/chromium-browser/chromium-browser Px, + /usr/lib/chromium-browser/chromium-browser-sandbox r, + /usr/lib/chromium-browser/chrome-sandbox mr, + + /dev/null rw, + + owner /tmp/** rw, + } +} diff --git a/debian/chromium.install b/debian/chromium.install index 6b20df4..039b43c 100644 --- a/debian/chromium.install +++ b/debian/chromium.install @@ -19,3 +19,5 @@ debian/chromium.desktop usr/share/applications debian/apikeys etc/chromium.d debian/extensions etc/chromium.d debian/default-flags etc/chromium.d + +debian/apparmor/usr.bin.chromium etc/apparmor.d diff --git a/debian/control b/debian/control index 695d483..6e75760 100644 --- a/debian/control +++ b/debian/control @@ -9,6 +9,7 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git Homepage: http://www.chromium.org/Home Build-Depends: debhelper (>= 10), + dh-apparmor, python3, pkg-config, ninja-build, diff --git a/debian/rules b/debian/rules index 8da3679..fe0f6e2 100755 --- a/debian/rules +++ b/debian/rules @@ -130,6 +130,7 @@ override_dh_auto_install-arch: mkdir -p $$dst; \ cp $$file $$dst/chromium.$$ext; \ done + dh_apparmor --profile-name=usr.bin.chromium -p chromium override_dh_fixperms: dh_fixperms --exclude chrome-sandbox -- 2.14.2
