From a1b70cd39679a019a43ea4054b98fbe74ad78982 Mon Sep 17 00:00:00 2001
From: theofficialgman <28281419+theofficialgman@users.noreply.github.com>
Date: Wed, 8 May 2024 18:18:43 -0400
Subject: [PATCH] Better Chromium: add apparmor profile

required on kernels with the restriction on unprivileged user namespaces (such as Ubuntu Mantic and Noble)
---
 apps/Better Chromium/install | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/Better Chromium/install b/apps/Better Chromium/install
index 7d4c460988..d297f62251 100755
--- a/apps/Better Chromium/install	
+++ b/apps/Better Chromium/install	
@@ -95,6 +95,23 @@ Pin-Priority: -1' | sudo tee /etc/apt/preferences.d/pi-apps-coders-chromium >/de
         cp -R ~/.var/app/org.chromium.Chromium/config/chromium ~/.config/
       fi
     fi
+    # add apparmor profile if needed
+    if sysctl kernel.apparmor_restrict_unprivileged_userns | grep -q 1 ; then
+      echo "# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile chromium-browser /usr/lib/chromium-browser/chromium-browser flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/chromium-browser>
+}
+" | sudo tee /etc/apparmor.d/chromium-browser >/dev/null
+      sudo systemctl restart apparmor.service
+    fi
   fi
 fi