Ubuntu
apparmor package

usr.bin.chromium-browser terribly outdated

Bug #1647142 reported by Hadmut Danisch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi,

when using the Chromium Browser, the screen (LXDE) drowns in warning messages because of heaps of apparmor profile violations. Unusable without intense manual modifications.

For some strange reason /etc/apparmor.d/usr.bin.chromium-browser is over a year old

-rw-r--r-- 1 root root 8243 Sep 3 2015 usr.bin.chromium-browser

and part of the apparmor-profiles and not of the chromium-package (where it would belong to).

It seems as if the chromium browser is continuously developed and re-compiled with new library versions, while the apparmor profile is frozen and noone takes care about, thus things are diverging more and more.

IMHO the profile should be

a) part of the chromium browser package
b) maintained (tested) by the same package maintainers

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-51.72-generic 4.4.30
Uname: Linux 4.4.0-51-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: LXDE
Date: Sun Dec 4 12:44:25 2016
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-51-generic root=UUID=3e286927-f1b6-4954-8b0d-7cf23484309f ro rootflags=subvol=@ splash quiet vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to xenial on 2016-04-06 (242 days ago)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Seth Arnold (seth-arnold)
Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Hadmut, thanks for the feedback.

This is a tricky situation -- chromium-browser's new sandboxing code requests a large number of system capabilities inside a user namespace. The current AppArmor profile language and enforcement engine has no way to describe "these capabilities are only valid inside a user namespace". It's not clear how we should handle this. We could grant the capabilities and let things work, but have zero security if accidentally run by the admin, or we could deny the capabilities and break the sandboxing.

Because it's difficult to have a good profile in the face of this, we haven't shipped the profile in a package that would have more users.

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu5

---------------
apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
      counterparts
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
      distro-info
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)

 -- Jamie Strandboge <email address hidden> Tue, 17 Apr 2018 20:15:16 +0000

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.