--- Begin Message ---
- To: Debian BTS <submit@bugs.debian.org>
- Subject: Chromium browser profile not adapted to Debian packaging
- From: "Daniel Richard G." <skunk@iSKUNK.ORG>
- Date: Thu, 27 Mar 2014 16:25:36 -0400
- Message-id: <1395951936.13027.99750365.3EAA2CEF@webmail.messagingengine.com>
Package: apparmor-profiles
Version: 2.7.103-4
The /etc/apparmor.d/usr.bin.chromium-browser profile appears to have
been taken verbatim from Ubuntu, and unfortunately is not usable with
Debian's packaging of the Chromium browser without a number of
modifications (starting with a file rename):
--- /etc/apparmor.d/usr.bin.chromium-browser 2014-03-27 16:16:54.000000000 -0400
+++ /etc/apparmor.d/usr.bin.chromium 2014-03-27 16:22:15.119117865 -0400
@@ -2,7 +2,7 @@
#include <tunables/global>
# We need 'flags=(attach_disconnected)' in newer chromium versions
-/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
+/usr/lib/chromium/chromium flags=(attach_disconnected) {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/cups-client>
@@ -63,11 +63,11 @@
@{PROC}/sys/kernel/shmmax r,
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
- /usr/lib/chromium-browser/*.pak mr,
- /usr/lib/chromium-browser/locales/* mr,
+ /usr/lib/chromium/*.pak mr,
+ /usr/lib/chromium/locales/* mr,
# Noisy
- deny /usr/lib/chromium-browser/** w,
+ deny /usr/lib/chromium/** w,
# Make browsing directories work
/ r,
@@ -108,16 +108,16 @@
owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
# Allow transitions to ourself and our sandbox
- /usr/lib/chromium-browser/chromium-browser ix,
- /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
+ /usr/lib/chromium/chromium ix,
+ /usr/lib/chromium/chrome-sandbox cx -> chromium_browser_sandbox,
# TODO: child profile
/bin/ps Uxr,
- /usr/lib/chromium-browser/xdg-settings Ux,
+ /usr/lib/chromium/xdg-settings Ux,
/usr/bin/xdg-settings Ux,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.chromium-browser>
+ #include <local/usr.bin.chromium>
profile chromium_browser_sandbox {
# Be fanatical since it is setuid root and don't use an abstraction
@@ -161,9 +161,9 @@
@{PROC}/[0-9]*/oom_score_adj w,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
- /usr/bin/chromium-browser r,
- /usr/lib/chromium-browser/chromium-browser Px,
- /usr/lib/chromium-browser/chromium-browser-sandbox r,
+ /usr/bin/chromium r,
+ /usr/lib/chromium/chromium Px,
+ /usr/lib/chromium/chrome-sandbox r,
owner /tmp/** rw,
}
Likewise, /etc/apparmor.d/local/usr.bin.chromium-browser should
be renamed.
--- End Message ---
--- Begin Message ---
- To: 747159-done@bugs.debian.org
- Subject: Re: [Pkg-xfce-devel] Bug#747159: Processed: Re: Bug#742829
- From: Yves-Alexis Perez <corsac@debian.org>
- Date: Tue, 28 Aug 2018 10:16:44 +0200
- Message-id: <fbf14c45814ccab6f265abe115f417e91e921899.camel@debian.org>
- In-reply-to: <1399410379.5965.5.camel@scapa>
- References: <1399349921.21987.6C2FAD1B@webmail.messagingengine.com> <handler.s.C.139934995810579.transcript@bugs.debian.org> <1399368735.26926.3.camel@scapa> <1399409347.2594.114397009.1FBE1DD6@webmail.messagingengine.com> <1399410379.5965.5.camel@scapa>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Version: 1.10.1-2
On Tue, 2014-05-06 at 23:06 +0200, Yves-Alexis Perez wrote:
> On mar., 2014-05-06 at 16:49 -0400, Daniel Richard G. wrote:
> > A patch would be fairly simple:
> >
> > --- /etc/apparmor.d/abstractions/lightdm_chromium-browser.orig 2014-04-28
> > 15:33:22.000000000 -0400
> > +++ /etc/apparmor.d/abstractions/lightdm_chromium-browser 2014-05-06
> > 16:40:08.014693614 -0400
> > @@ -8,7 +8,7 @@
> > # abstractions/lightdm, this abstraction must be separate from
> > # abstractions/lightdm.
> >
> > - /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
> > + /usr/lib/chromium/chromium Cx -> chromium_browser,
> > profile chromium_browser {
> > # Allow all the same accesses as other applications in the guest
> > session
> > #include <abstractions/lightdm>
> > @@ -29,5 +29,5 @@
> >
> > /selinux/ r,
> >
> > - /usr/lib/chromium-browser/chromium-browser-sandbox ix,
> > + /usr/lib/chromium/chrome-sandbox ix,
> > }
> >
>
> Well, it seems that it wouldn't be enough, see #747252.
>
This was actually fixed in 1.10.1-2 but I closed the wrong bug in the
changelog entry.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAluFBOwACgkQ3rYcyPpX
RFuRpQf8DzCcrQe0hvuBtGqmZsEC44EqvEKEgMoPMbUItxrOqVgtOVNsbyhKqaeU
/MleR4SgsYclUV6+Y12Oow1XMeFc9gidtIxtZBkZ3PT/eoB5YiUcf0DTnjpIM7Dz
WJPOQOET31V2EwsdR7sR7MRxGrP889r4imc/4FivgjNISYeJ/yPddxKvuuYKHYWZ
2A7PgkMGSdA3Hei5w1NAsT9zTTWzKuWZmt6jDjIDSvVx2AiBWN/iuUXVHAiDhepW
znmikLxhvPwgg7CED0gAgZQ1pI+s3M8mB7Jk3dGmSuPmZdyHmbhnCFZEYsRBgyYM
Xh+GCiFyYpOEpj14CKYZPk8D89jDpw==
=CZKM
-----END PGP SIGNATURE-----
--- End Message ---