chromium_browser: updates from usage monitoring

2025-08-30 05:47:59 +00:00 · 2024-04-05 02:14:11 -04:00 · 2024-04-05 02:14:11 -04:00 · ae54ccbe90
commit ae54ccbe90
parent 76f5e88f8c
1 changed files with 72 additions and 10 deletions
--- a/profiles/apparmor/profiles/extras/chromium_browser
+++ b/profiles/apparmor/profiles/extras/chromium_browser
@ -22,10 +22,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  include <abstractions/cups-client>
  include <abstractions/dbus-session>
  include <abstractions/dbus-strict>
+  include <abstractions/fonts>
  include <abstractions/gnome>
  include <abstractions/ibus>
+  include <abstractions/mesa>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>
+  include <abstractions/vulkan>

  # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
  # you want access to productivity applications, adjust the following file
@ -65,6 +68,41 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
       member=GetAll
       peer=(label=unconfined),

+  dbus (receive)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member={SessionNew,SessionRemoved}
+       peer=(label=unconfined),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,NameHasOwner,RemoveMatch,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.portal.Desktop),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation}
+       peer=(name=org.freedesktop.Notifications),
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(label=unconfined),
+
  # Networking
  network inet stream,
  network inet6 stream,
@ -72,21 +110,26 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  @{PROC}/@{pid}/net/ipv6_route r,

  # Should maybe be in abstractions
+  /etc/fstab r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/mtab r,
  /etc/xdg/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.cache/thumbnails/** r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  /tmp/.X[0-9]*-lock r,

  @{PROC}/self/exe ixr,
  @{PROC}/filesystems r,
+  @{PROC}/pressure/{cpu,io,memory} r,
  @{PROC}/vmstat r,
  @{PROC}/ r,
  @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/clear_refs w,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/setgroups w,
  owner @{PROC}/@{pid}/{uid,gid}_map w,
  @{PROC}/@{pid}/smaps r,
@ -95,6 +138,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/task/@{tid}/status r,
  deny @{PROC}/@{pid}/oom_{,score_}adj w,
+  @{PROC}/sys/fs/inotify/max_user_watches r,
  @{PROC}/sys/kernel/yama/ptrace_scope r,
  @{PROC}/sys/net/ipv4/tcp_fastopen r,

@ -104,11 +148,21 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /sys/devices/**/uevent r,
  /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r,
  /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+  /sys/devices/system/cpu/kernel_max r,
+  /sys/devices/system/cpu/possible r,
+  /sys/devices/system/cpu/present r,
  /sys/devices/system/node/node*/meminfo r,
+  /sys/devices/pci[0-9]*/**/bConfigurationValue r,
+  /sys/devices/pci[0-9]*/**/boot_vga r,
+  /sys/devices/pci[0-9]*/**/busnum r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/descriptors r,
  /sys/devices/pci[0-9]*/**/device r,
+  /sys/devices/pci[0-9]*/**/devnum r,
  /sys/devices/pci[0-9]*/**/irq r,
+  /sys/devices/pci[0-9]*/**/manufacturer r,
+  /sys/devices/pci[0-9]*/**/product r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/revision r,
  /sys/devices/pci[0-9]*/**/subsystem_device r,
@ -121,6 +175,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /sys/devices/virtual/tty/tty*/active r,
  # This is requested, but doesn't seem to actually be needed so deny for now
  deny /run/udev/data/** r,
+  deny /sys/devices/virtual/dmi/id/* r,

  # Needed for the crash reporter
  owner @{PROC}/@{pid}/auxv r,
@ -131,13 +186,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /usr/share/fonts/**/*.pfb m,
  /usr/share/mime/mime.cache m,
  /usr/share/icons/**/*.cache m,
-  owner /{dev,run}/shm/pulse-shm* m,
+  owner /{dev,run,var/run}/shm/pulse-shm* m,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner /tmp/** m,

  @{PROC}/sys/kernel/shmmax r,
-  owner /{dev,run}/shm/{,.}org.chromium.* mrw,
-  owner /{,var/}run/shm/shmfd-* mrw,
+  owner /{dev,run,var/run}/shm/{,.}org.chromium.* mrw,
+  owner /{dev,run,var/run}/shm/shmfd-* mrw,

  /usr/lib/@{chromium}/*.pak mr,
  /usr/lib/@{chromium}/locales/* mr,
@ -148,8 +203,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne

  # Allow ptracing ourselves and our helpers
  ptrace (trace) peer=@{profile_name},
-  ptrace (trace) peer=@{profile_name}//xdgsettings,
-  ptrace (trace) peer=lsb_release,
+  ptrace (read, trace) peer=@{profile_name}//xdgsettings,
+  ptrace (read, trace) peer=lsb_release,

  # Make browsing directories work
  / r,
@ -182,10 +237,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /etc/firefox/profile/bookmarks.html r,
  owner @{HOME}/.mozilla/** k,

-  # Chromium Policies
-  /etc/@{chromium}/policies/** r,
-
  # Chromium configuration
+  /etc/@{chromium}/** r,
+  # Note: "~/.pki/{,nssdb/} w" is denied by private-files abstraction
  owner @{HOME}/.pki/nssdb/* rwk,
  owner @{HOME}/.cache/chromium/ rw,
  owner @{HOME}/.cache/chromium/** rw,
@ -196,6 +250,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
  owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,

+  # Widevine CDM plugin
+  owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr,
+
  # Allow transitions to ourself, our sandbox, and crash handler
  /usr/lib/@{chromium}/@{chromium} ix,
  /usr/lib/@{chromium}/chrome-sandbox cx -> sandbox,
@ -212,10 +269,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /usr/bin/lsb_release Pxr -> lsb_release,

  # GSettings
-  owner /{,var/}run/user/*/dconf/     rw,
-  owner /{,var/}run/user/*/dconf/user rw,
+  owner @{run}/user/[0-9]*/dconf/     rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
  owner @{HOME}/.config/dconf/user r,

+  # GVfs
+  owner @{run}/user/[0-9]*/gvfsd/socket-* rw,
+
  # Magnet links
  /usr/bin/gio ixr,

@ -268,6 +328,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
    /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
    /{usr/,}lib{,32,64}/libatomic.so* mr,
    /{usr/,}lib/@{multiarch}/libatomic.so* mr,
+    /{usr/,}lib{,32,64}/libc.so.* mr,
+    /{usr/,}lib/@{multiarch}/libc.so.* mr,
    /{usr/,}lib{,32,64}/libc-*.so* mr,
    /{usr/,}lib/@{multiarch}/libc-*.so* mr,
    /{usr/,}lib{,32,64}/libdl-*.so* mr,