[Pkg-xfce-devel] Bug#747252: lightdm: AppArmor parser error in /etc/apparmor.d/abstractions/lightdm_chromium-browser

Daniel Richard G. skunk at iSKUNK.ORG
Thu Jun 12 04:49:20 UTC 2014 

Yves, you removed /etc/apparmor.d/lightdm-guest-session from the
package (via a debhelper exclusion directive), but you didn't exclude
/etc/apparmor.d/abstractions/lightdm_chromium-browser, which is the
profile that was generating the error in the first place  >_<

    https://packages.debian.org/sid/amd64/lightdm/filelist

On Sat, 2014 Jun  7 15:12+0200, intrigeri wrote:
>
> Good to know. That may be an error on my side, then. May you please
> share the exact patch you're applying to the relevant profile(s)?

Looks like the errant profiles are going away, but for what it's worth,
this is what I did (basically, comment out all "ptrace" and "signal"
directives):

--- /etc/apparmor.d/abstractions/lightdm_chromium-browser.orig	2014-06-12 00:32:32.000000000 -0400
+++ /etc/apparmor.d/abstractions/lightdm_chromium-browser	2014-06-04 21:03:07.663729440 -0400
@@ -18,10 +18,10 @@
   /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
 
   # Allow ptracing processes in the chromium child profile
-  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+#  ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
 
   # Allow receiving and sending signals to processes in the chromium child profile
-  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+#  signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
 
   profile chromium {
     # Allow all the same accesses as other applications in the guest session
@@ -39,14 +39,14 @@
     @{PROC}/sys/kernel/yama/ptrace_scope r,
 
     # Allow ptrace reads of processes in the lightdm-guest-session
-    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
+#    ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
     # Allow other guest session processes to read and trace us
-    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
-    ptrace (readby, tracedby) peer=@{profile_name},
+#    ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
+#    ptrace (readby, tracedby) peer=@{profile_name},
 
     # Allow us to receive and send signals from processes in the
     # lightdm-guest-session
-    signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
+#    signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
 
     @{PROC}/[0-9]*/ r,                 # sandbox wants these
     @{PROC}/[0-9]*/fd/ r,              # sandbox wants these

More information about the Pkg-xfce-devel mailing list