Merge ~skunk/apparmor-profiles:chromium-update into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Proposed by Daniel Richard G. on 2017-04-03
Status: Rejected
Rejected by: intrigeri on 2018-07-25
Proposed branch: ~skunk/apparmor-profiles:chromium-update
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 65 lines (+11/-5)
1 file modified
ubuntu/17.04/usr.bin.chromium-browser (+11/-5)
Reviewer Review Type Date Requested Status
intrigeri 2017-04-03 Disapprove on 2018-07-25
Review via email: mp+321802@code.launchpad.net

Description of the change

Update to get current Chromium versions working cleanly again in AppArmor.

To post a comment you must log in.
intrigeri (intrigeri) wrote :

Can you please resubmit on GitLab (https://gitlab.com/apparmor/apparmor-profiles)?

Sorry nobody looked at this yes :/

intrigeri (intrigeri) wrote :
review: Disapprove

Unmerged commits

69d99e3... by Daniel Richard G. on 2017-04-03

usr.bin.chromium-browser: updates for Chromium 57.0.2987.98-1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.04/usr.bin.chromium-browser b/ubuntu/17.04/usr.bin.chromium-browser
2index 86f6aae..93c6bf1 100644
3--- a/ubuntu/17.04/usr.bin.chromium-browser
4+++ b/ubuntu/17.04/usr.bin.chromium-browser
5@@ -40,23 +40,26 @@
6 owner @{PROC}/[0-9]*/stat r,
7 @{PROC}/[0-9]*/statm r,
8 owner @{PROC}/[0-9]*/status r,
9+ owner @{PROC}/[0-9]*/task/[0-9]*/status r,
10 deny @{PROC}/[0-9]*/oom_{,score_}adj w,
11 @{PROC}/sys/kernel/yama/ptrace_scope r,
12+ @{PROC}/sys/net/ipv4/tcp_fastopen r,
13
14 # Newer chromium needs these now
15 /etc/udev/udev.conf r,
16+ /sys/devices/**/uevent r,
17 /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
18+ /sys/devices/system/node/node*/meminfo r,
19 /sys/devices/pci[0-9]*/**/class r,
20 /sys/devices/pci[0-9]*/**/device r,
21 /sys/devices/pci[0-9]*/**/irq r,
22 /sys/devices/pci[0-9]*/**/resource r,
23 /sys/devices/pci[0-9]*/**/vendor r,
24 /sys/devices/pci[0-9]*/**/removable r,
25- /sys/devices/pci[0-9]*/**/uevent r,
26 /sys/devices/pci[0-9]*/**/block/**/size r,
27 /sys/devices/virtual/block/**/removable r,
28- /sys/devices/virtual/block/**/uevent r,
29 /sys/devices/virtual/block/**/size r,
30+ /sys/devices/virtual/tty/tty*/active r,
31 # This is requested, but doesn't seem to actually be needed so deny for now
32 deny /run/udev/data/** r,
33
34@@ -156,6 +159,7 @@
35 /{usr/,}bin/dash ixr,
36
37 /etc/ld.so.cache r,
38+ /etc/xdg/** r,
39 /usr/bin/xdg-settings r,
40 /usr/lib/chromium-browser/xdg-settings r,
41 /usr/share/applications/*.desktop r,
42@@ -189,11 +193,13 @@
43 /usr/include/python2.[4567]/pyconfig.h r,
44 /etc/lsb-release r,
45 /etc/debian_version r,
46+ /etc/dpkg/origins/** r,
47+ /usr/share/distro-info/** r,
48 /var/lib/dpkg/** r,
49
50- /usr/local/lib/python3.[0-4]/dist-packages/ r,
51+ /usr/local/lib/python3.[0-9]/dist-packages/ r,
52 /usr/bin/ r,
53- /usr/bin/python3.[0-4] r,
54+ /usr/bin/python3.[0-9] mr,
55 }
56
57
58@@ -258,7 +264,7 @@ profile chromium_browser_sandbox {
59 /usr/bin/chromium-browser r,
60 /usr/lib/chromium-browser/chromium-browser Px,
61 /usr/lib/chromium-browser/chromium-browser-sandbox r,
62- /usr/lib/chromium-browser/chrome-sandbox r,
63+ /usr/lib/chromium-browser/chrome-sandbox mr,
64
65 /dev/null rw,
66

Subscribers

People subscribed via source and target branches