1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
--- a/data/apparmor/abstractions/lightdm
+++ b/data/apparmor/abstractions/lightdm
@@ -11,7 +11,6 @@
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
- #include <abstractions/dbus-accessibility>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
@@ -74,10 +73,11 @@
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
- signal peer=@{profile_name},
- ptrace peer=@{profile_name},
- # needed when logging out of the guest session
- signal (receive) peer=unconfined,
+ # this doesn't work with the current Debian apparmor
+ #signal peer=@{profile_name},
+ #ptrace peer=@{profile_name},
+ ## needed when logging out of the guest session
+ #signal (receive) peer=unconfined,
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
--- a/data/apparmor/abstractions/lightdm_chromium-browser
+++ b/data/apparmor/abstractions/lightdm_chromium-browser
@@ -8,6 +8,7 @@
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
+ /usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
@@ -53,6 +54,7 @@
/selinux/ r,
+ /usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
|
