[apparmor] new extras/usr.lib.chromium-browser.chromium-browser profile

Jamie Strandboge jamie at canonical.com
Wed Jan 12 06:15:00 UTC 2011


This is based on the chromium-browser base profile as included in Ubuntu's
apparmor-profiles. Notable features:
- allows for using the browser to navigate through directories
- allows reads from @{HOME}/Public/**
- allows writes to @{HOME}/Downloads/**
- runs chromium-browser-sandbox in a very strict child profile
- run xdg-settings in a looser child profile
- disallows ptrace via the main browser process, but allows ptrace in the
  sandbox (required for proper operation)

The intent of this profile is to restrict code execution, writes to $HOME
and
information leaks while allowing basic web browsing and reading of system
documentation. It does not allow for plugins, extensions or other helpers
(but
these can be added via the local/ mechanism). This profile can be used
safely
where the system has CAP_MAC_ADMIN separated out from CAP_SYS_ADMIN (the
sandbox requires CAP_SYS_ADMIN-- see comments in the profile for details).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.lib.chromium-browser.chromium-browser
Type: text/x-pascal
Size: 5023 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110112/1fad6e92/attachment.p>


More information about the AppArmor mailing list