Better Chromium: add apparmor profile

required on kernels with the restriction on unprivileged user namespaces (such as Ubuntu Mantic and Noble)
Botspot · May 8, 2024 · a1b70cd · a1b70cd
1 parent b82a35b
commit a1b70cd
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/apps/Better Chromium/install b/apps/Better Chromium/install
@@ -95,6 +95,23 @@ Pin-Priority: -1' | sudo tee /etc/apt/preferences.d/pi-apps-coders-chromium >/de
         cp -R ~/.var/app/org.chromium.Chromium/config/chromium ~/.config/
       fi
     fi
+    # add apparmor profile if needed
+    if sysctl kernel.apparmor_restrict_unprivileged_userns | grep -q 1 ; then
+      echo "# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile chromium-browser /usr/lib/chromium-browser/chromium-browser flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/chromium-browser>
+}
+" | sudo tee /etc/apparmor.d/chromium-browser >/dev/null
+      sudo systemctl restart apparmor.service
+    fi
   fi
 fi