Comment 6 for bug 1625832

I can confirm this for hammerhead in OTA-14 stable on a Nexus 5, fresh install.

I'm currently trying to pin down all the rules needed to avoid disabling apparmor for the potentially most sensitive app in the system. However, I'm stuck on the following two profiles:

profile="webbrowser-app"
name="/run/shm/webbrowser-app.oxide/.org.chromium.Chromium.<REDACTED>"
comm="webbrowser-app"
denied_mask="c"

profile="webbrowser-app//oxide_helper"
name="/usr/lib/arm-linux-gnueabihf/libhybris/linker/jb.so"
comm="oxide-renderer"
denied_mask="m"

The first I can't define a rule for because the mask seems non-standard. For the second profile, I can't find any reference to oxide in any profile in the config dir, but did find "enforce" in /sys/kernel/security/apparmor/policy/profiles/webbrowser-app.15/profiles/oxide_helper.16/mode. However but I don't understand this policy framework, so don't want to edit this and its associated files.

Ideas?

I/we must be doing something wrong, as all of this is out of the box on OTA-14. Surely others would have noticed the browser not starting for this long.

Cheers.