1
# Description: Can use the UbuntuWebview
5
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
6
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
7
/usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
8
/usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
10
ptrace (read, trace) peer=@{profile_name},
11
signal peer=@{profile_name}//oxide_helper,
13
# Allow communicating with sandbox
14
unix (receive, send) peer=(label=@{profile_name}//oxide_helper),
16
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
17
# child profile of this profile, then we'll use Cx here and Px in
18
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
19
# as standalone profiles and we would just Px/px to them, but this is not
20
# practical because oxide-renderer needs to access app-specific files
21
# and shm files (when 1260103 is fixed). For now, have a single helper
22
# profile for chrome-sandbox and oxide-renderer.
23
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,
24
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,
26
/usr/lib/@{multiarch}/oxide-qt/* r,
27
@{PROC}/[0-9]*/task/[0-9]*/stat r,
29
# LP: #1275917 (not a problem, but unnecessary)
30
/usr/share/glib-2.0/schemas/gschemas.compiled r,
33
deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
34
deny /usr/bin/locales/ w,
37
deny /run/user/[0-9]*/dconf/user rw,
38
deny owner @{HOME}/.config/dconf/user r,
39
deny /custom/etc/dconf_profile r,
41
# LP: #1357371 (webapp-container needs corresponding 'bind' call on
42
# org.freedesktop.Application, which we block elsewhere. webapp-container
43
# shouldn't be doing this under confinement, but we allow this rule in
44
# content_exchange, so just allow it to avoid confusion)
47
path=/org/freedesktop/DBus
48
interface=org.freedesktop.DBus
50
peer=(label=unconfined),
52
# LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
53
owner @{HOME}/.pki/nssdb/ r,
54
owner @{HOME}/.pki/nssdb/** rk,
55
deny @{HOME}/.pki/nssdb/ w,
56
deny @{HOME}/.pki/nssdb/** w,
59
/sys/bus/pci/devices/ r,
60
/sys/devices/system/cpu/ r,
61
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq r,
62
/sys/devices/pci[0-9]*/**/class r,
63
/sys/devices/pci[0-9]*/**/device r,
64
/sys/devices/pci[0-9]*/**/irq r,
65
/sys/devices/pci[0-9]*/**/resource r,
66
/sys/devices/pci[0-9]*/**/vendor r,
67
/sys/devices/pci[0-9]*/**/removable r,
68
/sys/devices/pci[0-9]*/**/uevent r,
69
/sys/devices/pci[0-9]*/**/block/**/size r,
70
/etc/udev/udev.conf r,
77
owner /run/shm/.org.chromium.Chromium.* rwk,
79
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
80
# child profile of this profile, then we can use Cx here and Px in
81
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
82
# as standalone profiles and we would just Px/px to them, but this is not
83
# practical because oxide-renderer needs to access app-specific files
84
# and shm files (when 1260103 is fixed). For now, have a single helper
85
# profile for chrome-sandbox and oxide-renderer.
86
profile oxide_helper (attach_disconnected) {
88
# Shared by chrome-sandbox and oxide-helper
90
#include <abstractions/base>
92
# So long as we don't give /dev/binder, this should be 'ok'
93
/{,android/}vendor/lib/*.so mr,
94
/{,android/}system/lib/*.so mr,
95
/{,android/}system/vendor/lib/*.so mr,
96
/{,android/}system/build.prop r,
97
/dev/socket/property_service rw, # attach_disconnected path
101
@{PROC}/[0-9]*/fd/ r,
102
@{PROC}/[0-9]*/auxv r,
103
owner @{PROC}/[0-9]*/status r,
104
owner @{PROC}/[0-9]*/task/ r,
105
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
106
/sys/devices/system/cpu/ r,
107
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq r,
110
# chrome-sandbox specific
112
# Required for dropping into PID namespace. Keep in mind that until the
113
# process drops this capability it can escape confinement, but once it
114
# drops CAP_SYS_ADMIN we are ok.
115
capability sys_admin,
117
# All of these are for sanely dropping from root and chrooting
122
capability dac_override,
123
capability dac_read_search,
124
capability sys_chroot,
126
capability sys_ptrace,
127
ptrace (read, readby),
128
signal peer=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION},
130
unix peer=(label=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}),
132
unix peer=(label=@{profile_name}),
133
unix (getattr, getopt, setopt, shutdown),
136
deny @{PROC}/[0-9]*/oom_adj w,
137
deny @{PROC}/[0-9]*/oom_score_adj w,
139
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix,
142
# oxide-renderer specific
144
#include <abstractions/fonts>
145
@{PROC}/sys/kernel/shmmax r,
146
@{PROC}/sys/kernel/yama/ptrace_scope r,
151
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox rmix,
153
# The renderer may need access to app-specific files, such as WebCore
155
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw,
156
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,
159
/run/shm/.org.chromium.Chromium.* rwk,
162
owner @{HOME}/.pki/nssdb/ rw,
163
owner @{HOME}/.pki/nssdb/** rwk,
166
deny /usr/lib/@{multiarch}/oxide-qt/locales/ w,