allow browsers to use user namespaces in its sandbox
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
AppArmor is blocking chromium's use of user namespaces:
apparmor="ALLOWED" operation="open" profile=
apparmor="ALLOWED" operation="open" profile=
As a workaround, chromium can disable its sandbox when running under snapd. Longer term snapd should leverage the apparmor stacking work to allow snaps to setup user namespaces via interfaces.
= Original text =
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.
Changed in snappy: | |
status: | Triaged → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in snappy: | |
milestone: | none → 2.12 |
I don't know how to get seccomp denials. Without --devmode, I get "Bad system call", a killed process, and nothing in syslog that looks promising.
$ snappy- debug.security scanlog
WARN: Could not set kernel rate limiting
= AppArmor = "/usr/bin/ ubuntu- core-launcher" name="/ home/.ecryptfs/ cmiller/ .Private/ " pid=19129 comm="ubuntu- core-lau" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000 ecryptfs/ cmiller/ .Private/ (write)
Time: May 27 18:26:29
Log: apparmor="DENIED" operation="open" profile=
File: /home/.
Suggestion:
* adjust program to write to $SNAP_DATA or $SNAP_USER_DATA
= AppArmor = "/usr/bin/ ubuntu- core-launcher" name="/ home/.ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/" pid=19129 comm="ubuntu- core-lau" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000 ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/ (write)
Time: May 27 18:26:29
Log: apparmor="DENIED" operation="open" profile=
File: /home/.
Suggestion:
* adjust program to write to $SNAP_DATA or $SNAP_USER_DATA
= AppArmor = "/usr/bin/ ubuntu- core-launcher" name="/ home/.ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVmlGoq0dj7 d2FKctk3XIkSU- -/" pid=19129 comm="ubuntu- core-lau" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000 ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVmlGoq0dj7 d2FKctk3XIkSU- -/ (write)
Time: May 27 18:26:29
Log: apparmor="DENIED" operation="open" profile=
File: /home/.
Suggestion:
* adjust program to write to $SNAP_DATA or $SNAP_USER_DATA
= AppArmor = "/usr/bin/ ubuntu- core-launcher" name="/ home/.ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVmlGoq0dj7 d2FKctk3XIkSU- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVU1RPVUAny sWJtdM9. Q7n0E-- /" pid=19129 comm="ubuntu- core-lau" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000 ecryptfs/ cmiller/ .Private/ ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVm2NAu0yQB QyD7yyIFBnaJE- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVmlGoq0dj7 d2FKctk3XIkSU- -/ECRYPTFS_ FNEK_ENCRYPTED. FWb4VZJUL514cES vVcp5DUiJnlmnLb K3jZjVU1RPVUAny sWJtdM9. Q7n0E-- / (write)
Time: May 27 18:26:29
Log: apparmor="DENIED" operation="open" profile=
File: /home/.
Suggestion:
* adjust program to write to $SNAP_DATA or $SNAP_USER_DATA