As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.
apparmor="ALLOWED" operation="capable" profile="snap.chromium.chromium" pid=NNNNN comm="chromium-browse" capability=21 capname="sys_admin" apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/policy.json" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/setgroups" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/uid_map" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/python3.5.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/vim.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/tmp/" pid=NNNNN comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="truncate" profile="snap.chromium.chromium" name="/proc/17939/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000 apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.
apparmor="ALLOWED" operation="capable" profile= "snap.chromium. chromium" pid=NNNNN comm="chromium- browse" capability=21 capname="sys_admin" "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ FileUser" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ IOThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ FileUser" requested_ mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ IOThread" requested_ mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ etc/chromium- browser/ policies/ managed/ " pid=NNNNN comm="chromium- browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ etc/chromium- browser/ policies/ managed/ " pid=NNNNN comm="Chrome_ FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ etc/chromium- browser/ policies/ managed/ policy. json" pid=NNNNN comm="chromium- browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ etc/chromium- browser/ policies/ recommended/ " pid=NNNNN comm="chromium- browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ etc/chromium- browser/ policies/ recommended/ " pid=NNNNN comm="Chrome_ FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ proc/NNNNN/ oom_score_ adj" pid=NNNNN comm="chromium- browse" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ proc/NNNNN/ setgroups" pid=NNNNN comm="chromium- browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ proc/NNNNN/ uid_map" pid=NNNNN comm="chromium- browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ usr/share/ applications/ " pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ usr/share/ applications/ python3. 5.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ usr/share/ applications/ vim.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/ var/lib/ snapd/desktop/ applications/ " pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "snap.chromium. chromium" name="/var/tmp/" pid=NNNNN comm="Chrome_ IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 "truncate" profile= "snap.chromium. chromium" name="/ proc/17939/ oom_score_ adj" pid=NNNNN comm="chromium- browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ FileUser" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000 "snap.chromium. chromium" name="/ dev/.org. chromium. Chromium. NNNNNN" pid=NNNNN comm="Chrome_ IOThread" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="mknod" profile=
apparmor="ALLOWED" operation="mknod" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation=
apparmor="ALLOWED" operation="unlink" profile=
apparmor="ALLOWED" operation="unlink" profile=