AppArmor

AppArmor && Chromium - what's breaking? (Trusty)

Bug #1569647 reported by emily_
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

By default, I almost always enable AppArmor and all of the profiles it ships with.

With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:

Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process

Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.

While the AppArmor profile for Chromium is DISABLED, the browser opens normally:

Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]

If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:

sudo aa-genprof chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 107, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

Grepping for "DENIED" logs in syslog returns:

"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0"

See original description
Tags: aa-tools
emily_ (emily0-deactivatedaccount)
description: updated
emily_ (emily0-deactivatedaccount)
description: updated
tags: added: aa-tools
description: updated
emily_ (emily0-deactivatedaccount)
description: updated
Revision history for this message
Daniel Richard G. (skunk) wrote :

Hi Emily,

This issue appears to be a duplicate of

    https://bugs.launchpad.net/bugs/1471645

Could you review that report, and see if the fix suggested therein addresses the issue for you?

Revision history for this message
Christian Boltz (cboltz) wrote :

Can you reproduce the aa-logprof crash saying
    apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
?

If yes, please attach the profile file.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.