[pkg-apparmor] Bug#742829: Bug#742829: closed by intrigeri <intrigeri at debian.org> (Bug#742829: fixed in apparmor 2.10.95-8)

[Daniel Richard G.]

Hi Seth,

On Wed, 2017 Oct  4 18:39-0700, Seth Arnold wrote:
> Thanks for tackling this Daniel,
> 
> On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote:
> > alias /etc/chromium-browser/ -> /etc/chromium/,
> > alias /usr/bin/chromium-browser -> /usr/bin/chromium,
> > alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox,
> > alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium,
> > alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/,
> 
> Be aware that use of alias rules can drastically affect compilation
> times and generated policy sizes. Maybe these should be variables that
> could be set as they are changed?
> 
> > # We need 'flags=(attach_disconnected)' in newer chromium versions
> > /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
> 
> Please consider using a shorter, friendlier, profile name:
>
> profile chromium-browser /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
> 
> >   capability sys_admin,
> >   capability sys_chroot,
> >   capability sys_ptrace,
> 
> I like sticking capabilities high in the profile, just after the
> #include statements, so that they're more easily visible.

Bear in mind that the profile I have is based on Ubuntu's. Mine is only
a few lines beyond ubuntu/17.10/usr.bin.chromium-browser in the
apparmor-profiles Git repository, and I deliberately want to keep the
diff small to simplify maintenance/PRs.

I like the changes you're proposing, but the easiest way forward would
be to apply these to the 17.10 or forthcoming 18.04 edition of the
profile in Git, after which I'll merge them in here.

At this point in time, Ubuntu is still the primary source for the
Chromium profile. That will hopefully move over to Debian (as Debian
ultimately maintains the Chromium packages for both distros), but
for now that's the main limiting factor on what I'm doing.


--Daniel


-- 
Daniel Richard G. || skunk at iSKUNK.ORG
My ASCII-art .sig got a bad case of Times New Roman.