[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: [apparmor] [Merge] ~skunk/apparmor-profiles:chromium-update into apparmor-profiles:master
From: "Daniel Richard G." <skunk () iskunk ! org>
Date: 2017-04-03 23:51:24
Message-ID: 20170403235122.28305.12462.launchpad () ackee ! canonical ! com
[Download RAW message or body]
Daniel Richard G. has proposed merging ~skunk/apparmor-profiles:chromium-up=
date into apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~skunk/apparmor-profiles/+git/apparmor-profiles/=
+merge/321802
Update to get current Chromium versions working cleanly again in AppArmor.
-- =
Your team AppArmor Developers is requested to review the proposed merge of =
~skunk/apparmor-profiles:chromium-update into apparmor-profiles:master.
["review-diff.txt" (review-diff.txt)]
diff --git a/ubuntu/17.04/usr.bin.chromium-browser b/ubuntu/17.04/usr.bin.chromium-browser
index 86f6aae..93c6bf1 100644
--- a/ubuntu/17.04/usr.bin.chromium-browser
+++ b/ubuntu/17.04/usr.bin.chromium-browser
@@ -40,23 +40,26 @@
owner @{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/status r,
+ owner @{PROC}/[0-9]*/task/[0-9]*/status r,
deny @{PROC}/[0-9]*/oom_{,score_}adj w,
@{PROC}/sys/kernel/yama/ptrace_scope r,
+ @{PROC}/sys/net/ipv4/tcp_fastopen r,
# Newer chromium needs these now
/etc/udev/udev.conf r,
+ /sys/devices/**/uevent r,
/sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+ /sys/devices/system/node/node*/meminfo r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/pci[0-9]*/**/removable r,
- /sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/sys/devices/virtual/block/**/removable r,
- /sys/devices/virtual/block/**/uevent r,
/sys/devices/virtual/block/**/size r,
+ /sys/devices/virtual/tty/tty*/active r,
# This is requested, but doesn't seem to actually be needed so deny for now
deny /run/udev/data/** r,
@@ -156,6 +159,7 @@
/{usr/,}bin/dash ixr,
/etc/ld.so.cache r,
+ /etc/xdg/** r,
/usr/bin/xdg-settings r,
/usr/lib/chromium-browser/xdg-settings r,
/usr/share/applications/*.desktop r,
@@ -189,11 +193,13 @@
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
+ /etc/dpkg/origins/** r,
+ /usr/share/distro-info/** r,
/var/lib/dpkg/** r,
- /usr/local/lib/python3.[0-4]/dist-packages/ r,
+ /usr/local/lib/python3.[0-9]/dist-packages/ r,
/usr/bin/ r,
- /usr/bin/python3.[0-4] r,
+ /usr/bin/python3.[0-9] mr,
}
@@ -258,7 +264,7 @@ profile chromium_browser_sandbox {
/usr/bin/chromium-browser r,
/usr/lib/chromium-browser/chromium-browser Px,
/usr/lib/chromium-browser/chromium-browser-sandbox r,
- /usr/lib/chromium-browser/chrome-sandbox r,
+ /usr/lib/chromium-browser/chrome-sandbox mr,
/dev/null rw,
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic