chromium-browser fails to start (guest account, OpenVZ): "Failed to move to new PID namespace: Operation not permitted"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Chromium Browser |
Unknown
|
Unknown
|
|||
Light Display Manager |
Fix Released
|
Medium
|
Unassigned | ||
gdm-guest-session (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
lightdm (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Precise |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
lightdm-remote-session-freerdp (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
lightdm-remote-session-uccsconfigure (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Precise |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: chromium-browser
[Impact]
Chromium-browser does not launch from guest session.
Fix by Jamie Strandboge:
"It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/
[Test Case]
1. install chromium-browser
2. login to the guest account
3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
is loaded and guest session applications are confined:
$ sudo aa-status
apparmor module is loaded.
...
/usr/
...
/usr/
/usr/
/usr/
/usr/
...
Note: number of profiles and pids will vary.
4. try to start chromium-browser either via the Dash or a terminal
Prior to upgrading, chromium-browser will fail to start with:
Failed to move to new PID namespace: Operation not permitted
After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement with other guest session applications under the lightdm-
$ sudo aa-status
apparmor module is loaded.
...
/usr/
/usr/
...
/usr/
/usr/
/usr/
...
/usr/
/usr/
/usr/
...
[Regression Potential]
As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.
[Other Info]
Attached is a debdiff for 12.04. It:
- adds debian/
debian/
does not include the fix for bug #1059510, which is uneeded on precise and b)
includes the fix for bug #1189948 to install the abstractions with the correct
permissions
- additionally, debian/
on upgrade to this version of lightdm. The code in question uses the same logic
as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
making several packaging changes to use dh_apparmor, I chose this option to reduce
change.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: chromium-browser 5.0.342.
ProcVersionSign
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sun May 9 19:49:44 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
ProcEnviron:
LANG=tr_TR.utf8
SHELL=/bin/bash
SourcePackage: chromium-browser
Changed in gdm-guest-session (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
tags: | added: amd64 oneiric precise |
Changed in gdm-guest-session (Ubuntu): | |
assignee: | nobody → jeremiejig (pauljiang) |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
affects: | lightdm → lightdm (Ubuntu) |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
Changed in lightdm (Ubuntu): | |
assignee: | nobody → jeremiejig (pauljiang) |
status: | Confirmed → In Progress |
affects: | lightdm (Ubuntu) → lightdm |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in lightdm (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Confirmed → In Progress |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → Triaged |
Changed in lightdm-remote-session-freerdp (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → Triaged |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu): | |
status: | Triaged → In Progress |
Changed in lightdm (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in lightdm-remote-session-freerdp (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in lightdm: | |
status: | In Progress → Triaged |
importance: | Undecided → Medium |
Changed in lightdm: | |
status: | Triaged → Fix Committed |
description: | updated |
Changed in lightdm (Ubuntu Precise): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → In Progress |
Changed in lightdm-remote-session-freerdp (Ubuntu Precise): | |
status: | New → Invalid |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu Precise): | |
status: | New → Invalid |
What is the error?