Ubuntu
webbrowser-app package

pepper flash plugin disallowed from apparmor

Bug #1585370 reported by Sam Segers
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Incomplete
Undecided
Unassigned
webbrowser-app (Ubuntu)
New
Undecided
Unassigned

Bug Description

When launching webbrowser-app from unity8 under confinement, i get disallowed errors for /opt/google/chrome/PepperFlash/manifest.json and /opt/google/chrome/PepperFlash/libpepflashplayer.so

When I add the following to the apparmor profile of webbrowser-app and to the oxide_helper subprocess, it works:

/opt/google/** r,

/opt/google/**/*.so mr,

Don't know what's exactly needed.

See original description
Tags: apparmor
Sam Segers (sam-sgrs)
description: updated
Revision history for this message
Sam Segers (sam-sgrs) wrote :

Should also consider https://bugs.launchpad.net/oxide/+bug/1585379

description: updated
Sam Segers (sam-sgrs)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Perhaps:
/opt/google/chrome*/PepperFlash/ r,
/opt/google/chrome*/PepperFlash/** r,
/opt/google/chrome*/PepperFlash/**.so m,

tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

An apparmor-easyprof-ubuntu task was added, but I'm not sure why. If this is only for webbrowser-app, just add the aforementioned rules (or similar) to the webbrowser-app policy. These rules won't work on Touch (which is what apparmor-easyprof-ubuntu is primarily for) since those paths aren't found on Touch. Can you elaborate on why this should be in apparmor-easyprof-ubuntu?

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Incomplete
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

The browser can also load the plugin from the partner repository (in /usr/lib/adobe-flashplugin), although that's currently broken for a different reason.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Jamie, I added an apparmor-easyprof-ubuntu task because the oxide_helper profile is part of the webview policy. Assuming that we want to allow any app embedding a webview to display flash content, we would want those rules to be added to the oxide_helper profile, wouldn’t we?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.