1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
|
--- a/data/apparmor/abstractions/lightdm
+++ b/data/apparmor/abstractions/lightdm
@@ -11,7 +11,6 @@
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
- #include <abstractions/dbus-accessibility>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
@@ -74,10 +73,11 @@
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
- signal peer=@{profile_name},
- ptrace peer=@{profile_name},
- # needed when logging out of the guest session
- signal (receive) peer=unconfined,
+ # this doesn't work with the current Debian apparmor
+ #signal peer=@{profile_name},
+ #ptrace peer=@{profile_name},
+ ## needed when logging out of the guest session
+ #signal (receive) peer=unconfined,
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
--- a/data/apparmor/abstractions/lightdm_chromium-browser
+++ b/data/apparmor/abstractions/lightdm_chromium-browser
@@ -8,6 +8,7 @@
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
+ /usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
@@ -53,6 +54,7 @@
/selinux/ r,
+ /usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
|