HEX
Server: Apache/2.4.52 (Ubuntu)
System: Linux ip-172-31-4-197 6.8.0-1036-aws #38~22.04.1-Ubuntu SMP Fri Aug 22 15:44:33 UTC 2025 x86_64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /etc/apparmor.d/abstractions/
Upload Files
File: //etc/apparmor.d/abstractions/lightdm_chromium-browser
# vim:syntax=apparmor
# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <jamie@canonical.com>

# The abstraction provides the additional accesses required to launch
# chromium based browsers from within an lightdm session. Because AppArmor
# cannot yet merge profiles and because we want to utilize the access rules
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.

# Requires apparmor 2.9

  /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
  /usr/bin/webapp-container Cx -> chromium,
  /usr/bin/webbrowser-app Cx -> chromium,
  /usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
  /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
  /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
  /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
  /opt/google/chrome/google-chrome Cx -> chromium,

  # Allow ptracing processes in the chromium child profile
  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,

  # Allow receiving and sending signals to processes in the chromium child profile
  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,

  # Allow communications with chromium child profile via unix sockets
  unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),

  profile chromium {
    # Allow all the same accesses as other applications in the guest session
    #include <abstractions/lightdm>

    # but also allow a few things because of chromium-browser's sandboxing that
    # are not appropriate to other guest session applications.
    owner @{PROC}/[0-9]*/oom_{,score_}adj w,
    @{PROC}/sys/kernel/shmmax r,
    capability sys_admin,  # for sandbox to change namespaces
    capability sys_chroot, # fod sandbox to chroot to a safe directory
    capability setgid,     # for sandbox to drop privileges
    capability setuid,     # for sandbox to drop privileges
    capability sys_ptrace, # chromium needs this to keep track of itself
    @{PROC}/sys/kernel/yama/ptrace_scope r,

    # Allow ptrace reads of processes in the lightdm-guest-session
    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
    # Allow other guest session processes to read and trace us
    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
    ptrace (readby, tracedby) peer=@{profile_name},

    # Allow us to receive and send signals from processes in the
    # lightdm-guest-session
    signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,

    # Allow us to receive and send on unix sockets from processes in the
    # lightdm-guest-session
    unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),

    @{PROC}/[0-9]*/ r,                 # sandbox wants these
    @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
    @{PROC}/[0-9]*/statm r,            # sandbox wants these
    @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these

    owner @{PROC}/@{pid}/setgroups w,
    owner @{PROC}/@{pid}/uid_map w,
    owner @{PROC}/@{pid}/gid_map w,

    /selinux/ r,

    /usr/lib/chromium-browser/chromium-browser-sandbox ix,
    /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
    /opt/google/chrome-*/chrome-sandbox ix,
  }
@ Telegram