2016-04-13 02:26:44 |
emily_ |
bug |
|
|
added bug |
2016-04-13 02:47:51 |
emily_ |
description |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
[New Thread 0x7fdaad51a700 (LWP 17594)]
[New Thread 0x7fdaac8dd700 (LWP 17595)]
[New Thread 0x7fdaac0dc700 (LWP 17596)]
[New Thread 0x7fdaab8db700 (LWP 17597)]
[New Thread 0x7fdad182b700 (LWP 17598)]
[New Thread 0x7fdaab0da700 (LWP 17599)]
[New Thread 0x7fdaaa8d9700 (LWP 17600)]
[New Thread 0x7fdaa8e20700 (LWP 17601)]
[New Thread 0x7fdaa861f700 (LWP 17602)]
[New Thread 0x7fdaa7e1e700 (LWP 17603)]
[New Thread 0x7fdaa761d700 (LWP 17604)]
[New Thread 0x7fdaa6e1c700 (LWP 17605)]
[New Thread 0x7fdaa661b700 (LWP 17606)]
[New Thread 0x7fdaa5e1a700 (LWP 17607)]
[New Thread 0x7fdaa5619700 (LWP 17608)]
[New Thread 0x7fdaa4e18700 (LWP 17609)]
[New Thread 0x7fdaa4617700 (LWP 17610)]
[New Thread 0x7fdaa2393700 (LWP 17611)]
[New Thread 0x7fda9c9bc700 (LWP 17612)]
[New Thread 0x7fda9c1bb700 (LWP 17614)]
[New Thread 0x7fda9b716700 (LWP 17648)]
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
[Thread 0x7fdaa661b700 (LWP 17606) exited]
[Thread 0x7fdaa6e1c700 (LWP 17605) exited]
[Thread 0x7fdaa761d700 (LWP 17604) exited]
[Thread 0x7fdaa7e1e700 (LWP 17603) exited]
[Thread 0x7fdaa861f700 (LWP 17602) exited]
[Thread 0x7fdaa5619700 (LWP 17608) exited]
[Thread 0x7fdaa8e20700 (LWP 17601) exited]
[Thread 0x7fda99f13700 (LWP 17653) exited]
[Thread 0x7fdaac0dc700 (LWP 17596) exited]
[Thread 0x7fdaa4617700 (LWP 17610) exited]
[Thread 0x7fdaa2393700 (LWP 17611) exited]
[Thread 0x7fda9a714700 (LWP 17652) exited]
[Thread 0x7fdaac8dd700 (LWP 17595) exited]
[Thread 0x7fda9b716700 (LWP 17648) exited]
[Thread 0x7fdaab0da700 (LWP 17599) exited]
[Thread 0x7fdaadd1b700 (LWP 17588) exited]
[Thread 0x7fdaaa8d9700 (LWP 17600) exited]
[Thread 0x7fdaad51a700 (LWP 17594) exited]
[Thread 0x7fdaa4e18700 (LWP 17654) exited]
[Thread 0x7fda9c1bb700 (LWP 17614) exited]
[Thread 0x7fdad182b700 (LWP 17598) exited]
[Thread 0x7fdaab8db700 (LWP 17597) exited]
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile' |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
[New Thread 0x7fdaad51a700 (LWP 17594)]
[New Thread 0x7fdaac8dd700 (LWP 17595)]
[New Thread 0x7fdaac0dc700 (LWP 17596)]
[New Thread 0x7fdaab8db700 (LWP 17597)]
[New Thread 0x7fdad182b700 (LWP 17598)]
[New Thread 0x7fdaab0da700 (LWP 17599)]
[New Thread 0x7fdaaa8d9700 (LWP 17600)]
[New Thread 0x7fdaa8e20700 (LWP 17601)]
[New Thread 0x7fdaa861f700 (LWP 17602)]
[New Thread 0x7fdaa7e1e700 (LWP 17603)]
[New Thread 0x7fdaa761d700 (LWP 17604)]
[New Thread 0x7fdaa6e1c700 (LWP 17605)]
[New Thread 0x7fdaa661b700 (LWP 17606)]
[New Thread 0x7fdaa5e1a700 (LWP 17607)]
[New Thread 0x7fdaa5619700 (LWP 17608)]
[New Thread 0x7fdaa4e18700 (LWP 17609)]
[New Thread 0x7fdaa4617700 (LWP 17610)]
[New Thread 0x7fdaa2393700 (LWP 17611)]
[New Thread 0x7fda9c9bc700 (LWP 17612)]
[New Thread 0x7fda9c1bb700 (LWP 17614)]
[New Thread 0x7fda9b716700 (LWP 17648)]
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
[Thread 0x7fdaa661b700 (LWP 17606) exited]
[Thread 0x7fdaa6e1c700 (LWP 17605) exited]
[Thread 0x7fdaa761d700 (LWP 17604) exited]
[Thread 0x7fdaa7e1e700 (LWP 17603) exited]
[Thread 0x7fdaa861f700 (LWP 17602) exited]
[Thread 0x7fdaa5619700 (LWP 17608) exited]
[Thread 0x7fdaa8e20700 (LWP 17601) exited]
[Thread 0x7fda99f13700 (LWP 17653) exited]
[Thread 0x7fdaac0dc700 (LWP 17596) exited]
[Thread 0x7fdaa4617700 (LWP 17610) exited]
[Thread 0x7fdaa2393700 (LWP 17611) exited]
[Thread 0x7fda9a714700 (LWP 17652) exited]
[Thread 0x7fdaac8dd700 (LWP 17595) exited]
[Thread 0x7fda9b716700 (LWP 17648) exited]
[Thread 0x7fdaab0da700 (LWP 17599) exited]
[Thread 0x7fdaadd1b700 (LWP 17588) exited]
[Thread 0x7fdaaa8d9700 (LWP 17600) exited]
[Thread 0x7fdaad51a700 (LWP 17594) exited]
[Thread 0x7fdaa4e18700 (LWP 17654) exited]
[Thread 0x7fda9c1bb700 (LWP 17614) exited]
[Thread 0x7fdad182b700 (LWP 17598) exited]
[Thread 0x7fdaab8db700 (LWP 17597) exited]
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for first "DENIAL" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
|
2016-04-13 04:03:46 |
emily_ |
description |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
[New Thread 0x7fdaad51a700 (LWP 17594)]
[New Thread 0x7fdaac8dd700 (LWP 17595)]
[New Thread 0x7fdaac0dc700 (LWP 17596)]
[New Thread 0x7fdaab8db700 (LWP 17597)]
[New Thread 0x7fdad182b700 (LWP 17598)]
[New Thread 0x7fdaab0da700 (LWP 17599)]
[New Thread 0x7fdaaa8d9700 (LWP 17600)]
[New Thread 0x7fdaa8e20700 (LWP 17601)]
[New Thread 0x7fdaa861f700 (LWP 17602)]
[New Thread 0x7fdaa7e1e700 (LWP 17603)]
[New Thread 0x7fdaa761d700 (LWP 17604)]
[New Thread 0x7fdaa6e1c700 (LWP 17605)]
[New Thread 0x7fdaa661b700 (LWP 17606)]
[New Thread 0x7fdaa5e1a700 (LWP 17607)]
[New Thread 0x7fdaa5619700 (LWP 17608)]
[New Thread 0x7fdaa4e18700 (LWP 17609)]
[New Thread 0x7fdaa4617700 (LWP 17610)]
[New Thread 0x7fdaa2393700 (LWP 17611)]
[New Thread 0x7fda9c9bc700 (LWP 17612)]
[New Thread 0x7fda9c1bb700 (LWP 17614)]
[New Thread 0x7fda9b716700 (LWP 17648)]
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
[Thread 0x7fdaa661b700 (LWP 17606) exited]
[Thread 0x7fdaa6e1c700 (LWP 17605) exited]
[Thread 0x7fdaa761d700 (LWP 17604) exited]
[Thread 0x7fdaa7e1e700 (LWP 17603) exited]
[Thread 0x7fdaa861f700 (LWP 17602) exited]
[Thread 0x7fdaa5619700 (LWP 17608) exited]
[Thread 0x7fdaa8e20700 (LWP 17601) exited]
[Thread 0x7fda99f13700 (LWP 17653) exited]
[Thread 0x7fdaac0dc700 (LWP 17596) exited]
[Thread 0x7fdaa4617700 (LWP 17610) exited]
[Thread 0x7fdaa2393700 (LWP 17611) exited]
[Thread 0x7fda9a714700 (LWP 17652) exited]
[Thread 0x7fdaac8dd700 (LWP 17595) exited]
[Thread 0x7fda9b716700 (LWP 17648) exited]
[Thread 0x7fdaab0da700 (LWP 17599) exited]
[Thread 0x7fdaadd1b700 (LWP 17588) exited]
[Thread 0x7fdaaa8d9700 (LWP 17600) exited]
[Thread 0x7fdaad51a700 (LWP 17594) exited]
[Thread 0x7fdaa4e18700 (LWP 17654) exited]
[Thread 0x7fda9c1bb700 (LWP 17614) exited]
[Thread 0x7fdad182b700 (LWP 17598) exited]
[Thread 0x7fdaab8db700 (LWP 17597) exited]
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for first "DENIAL" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for "DENIED" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
|
2016-04-13 04:05:05 |
emily_ |
tags |
|
aa-tools |
|
2016-04-13 04:07:07 |
emily_ |
description |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for "DENIED" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for "DENIED" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
|
2016-04-13 18:17:38 |
emily_ |
description |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
[New Thread 0x7fda9a714700 (LWP 17652)]
[New Thread 0x7fda99f13700 (LWP 17653)]
[Thread 0x7fdaa4e18700 (LWP 17609) exited]
[Thread 0x7fda9af15700 (LWP 17649) exited]
[New Thread 0x7fdaa4e18700 (LWP 17654)]
[Thread 0x7fdaa5e1a700 (LWP 17607) exited]
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for "DENIED" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
Currently running on Linux Mint, 17.3; uname -a -> Linux 3.19.0-32-generic #37~14.04.1-Ubuntu SMP Thu Oct 22 09:41:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
By default, I almost always enable AppArmor and all of the profiles it ships with.
With the AppArmor profile for chromium-browser ENABLED, Chromium fails to run; debugging presents the following:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6de7667700 (LWP 12978)]
[12968:12968:0412/212222:FATAL:zygote_host_impl_linux.cc(193)] Check failed: process.IsValid(). Failed to launch zygote process
Program received signal SIGABRT, Aborted.
0x00007f6df2b42cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
While the AppArmor profile for Chromium is DISABLED, the browser opens normally:
Starting program: /usr/lib/chromium-browser/chromium-browser --ppapi-flash-path=/usr/lib/adobe-flashplugin/libpepflashplayer.so --ppapi-flash-version= --enable-pinch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fdaadd1b700 (LWP 17588)]
...
[New Thread 0x7fda9af15700 (LWP 17649)]
Created new window in existing browser session.
...
[Thread 0x7fdad435ea00 (LWP 17584) exited]
[Inferior 1 (process 17584) exited normally]
If I try to generate a WORKING AppArmor profile (not the default shipped with apparmor-profiles) for Chromium, things break:
sudo aa-genprof chromium-browser
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 107, in <module>
apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
Grepping for "DENIED" logs in syslog returns:
"kernel: [ 501.053368] audit: type=1400 audit(1460489635.759:318): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.053474] audit: type=1400 audit(1460489635.759:319): apparmor="DENIED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser" name="/bin/which" pid=5049 comm="BrowserBlocking" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.057446] audit: type=1400 audit(1460489635.763:320): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5049/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 12 15:33:55 void kernel: [ 501.087666] audit: type=1400 audit(1460489635.795:321): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/5050/stat" pid=4802 comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0" |
|
2016-04-27 02:56:49 |
Daniel Richard G. |
bug |
|
|
added subscriber Daniel Richard G. |