[apparmor] new extras/usr.lib.chromium-browser.chromium-browser profile

Jamie Strandboge jamie at canonical.com
Wed Jan 12 06:15:00 UTC 2011

This is based on the chromium-browser base profile as included in Ubuntu's
apparmor-profiles. Notable features:
- allows for using the browser to navigate through directories
- allows reads from @{HOME}/Public/**
- allows writes to @{HOME}/Downloads/**
- runs chromium-browser-sandbox in a very strict child profile
- run xdg-settings in a looser child profile
- disallows ptrace via the main browser process, but allows ptrace in the
  sandbox (required for proper operation)

The intent of this profile is to restrict code execution, writes to $HOME
information leaks while allowing basic web browsing and reading of system
documentation. It does not allow for plugins, extensions or other helpers
these can be added via the local/ mechanism). This profile can be used
where the system has CAP_MAC_ADMIN separated out from CAP_SYS_ADMIN (the
sandbox requires CAP_SYS_ADMIN-- see comments in the profile for details).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.lib.chromium-browser.chromium-browser
Type: text/x-pascal
Size: 5023 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110112/1fad6e92/attachment.p>

More information about the AppArmor mailing list