AppArmor: support sysvinit systems.

With systemd (at least on current Debian sid), /run/shm is a symlink to
/dev/shm, so "owner /dev/shm/org.chromium.* rw," is enough. With sysvinit,
apparently things are set up differently (perhaps the symlinks are in the
opposite direction?) so Firefox tries to access /run/shm/org.chromium.*,
which was rejected.

Let's support both!

Thanks to gregor herrmann <gregoa@debian.org> for the bug report:
https://bugs.debian.org/874383

Note that this problem happens with pristine 0.2.8 profiles,
without the changes brought by my apparmor-e10s branch.

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 1d6421e7c4d6b9b8a77a6ce2bca02fded444bacc..25a438ba0dbe35a745dfab49ced7078fe811cffa 100644 (file)
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -80,7 +80,7 @@
   owner /{dev,run}/shm/shmfd-* rw,
 
   # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /dev/shm/org.chromium.* rw,
+  owner /{dev,run}/shm/org.chromium.* rw,
 
   # Deny access to DRM nodes, that's granted by the X abstraction, which is
   # sourced by the gnome abstraction, that we include.

diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
index 121404489ec0ef24134b30a18c55fcc09c2800b7..ee30fd4129fc595d78020144cadbeed11c4502d5 100644 (file)
--- a/apparmor/torbrowser.Browser.plugin-container
+++ b/apparmor/torbrowser.Browser.plugin-container
@@ -66,7 +66,7 @@ profile torbrowser_plugin_container {
   owner /{dev,run}/shm/shmfd-* rw,
 
   # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /dev/shm/org.chromium.* rw,
+  owner /{dev,run}/shm/org.chromium.* rw,
 
   # Deny access to DRM nodes, that's granted by the X abstraction, which is
   # sourced by the gnome abstraction, that we include.