[apparmor] [profile] for usr.lib.chromium.chromium

[Aaron Lewis]

Patch is here, serveral tweaks,

(To work on Arch a subsitute is required: s#/chromium/#/chromium-browser/#)
-----

--- usr.bin.chromium-browser	2013-01-11 20:49:18.040009935 +0800
+++ usr.bin.chromium	2013-01-11 21:21:01.923418185 +0800
@@ -8,6 +8,7 @@
   #include <abstractions/cups-client>
   #include <abstractions/dbus-session>
   #include <abstractions/fonts>
+  #include <abstractions/ibus>
   #include <abstractions/freedesktop.org>
   #include <abstractions/gnome>
   #include <abstractions/nameservice>
@@ -52,17 +53,24 @@
   /sys/devices/pci[0-9]*/**/vendor r,
   /sys/devices/pci[0-9]*/**/removable r,
   /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/system/cpu/*/cpufreq/cpuinfo_max_freq r,
+  /sys/devices/virtual/block/*/{uevent,removable,vendor,irq,resource,class} r,
   # This is requested, but doesn't seem to actually be needed so deny for now
   deny /run/udev/data/** r,
 
   # Needed for the crash reporter
   owner @{PROC}/[0-9]*/auxv r,
 
+  # nacl
+  /usr/lib/chromium-browser/nacl_helper_bootstrap ixm,
+  /usr/lib/chromium-browser/nacl_helper           ixm,
+
   # chromium mmaps all kinds of things for speed.
   /etc/passwd m,
-  /usr/share/fonts/truetype/**/*.tt[cf] m,
+  /usr/share/fonts/truetype/**/*.[tT[tT][cCFf] m,
   /usr/share/fonts/**/*.pfb m,
   /usr/share/mime/mime.cache m,
+  /usr/local/share/mime/mime.cache m,
   /usr/share/icons/**/*.cache m,
   owner /{dev,run}/shm/pulse-shm* m,
   owner @{HOME}/.local/share/mime/mime.cache m,
@@ -94,9 +102,11 @@
 
   # Helpers
   /usr/bin/xdg-open ixr,
+  /usr/bin/exo-open ixr,
+  /usr/bin/kde-open ixr,
   /usr/bin/gnome-open ixr,
   /usr/bin/gvfs-open ixr,
-  # TODO: kde, xfce
+  /usr/bin/lsb_release Cx -> sanitized_helper,
 
   # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
   # which is provided by abstractions/ubuntu-browsers.d/user-files).
@@ -174,7 +184,7 @@
     /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
     /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
     /usr/lib/libstdc++.so* mr,
-    /etc/ld.so.cache r,
+    /etc/ld.so.cache rm,
 
     # Required for dropping into PID namespace. Keep in mind that until the
     # process drops this capability it can escape confinement, but once it
@@ -202,7 +212,7 @@
 
     /usr/bin/chromium-browser r,
     /usr/lib/chromium-browser/chromium-browser Px,
-    /usr/lib/chromium-browser/chromium-browser-sandbox r,
+    /usr/lib/chromium-browser/chromium-browser-sandbox rm,
 
     /dev/null rw,