Bug #1889699 “Brave is not included in the Ubuntu helpers” : Bugs : apparmor package : Ubuntu

Revision history for this message

François Marier (fmarier) wrote on 2020-07-31:

#1

I fixed it locally by changing the following files in /etc:

diff --git a/apparmor.d/abstractions/ubuntu-browsers b/apparmor.d/abstractions/ubuntu-browsers
index 0d67682..22f151d 100644
--- a/apparmor.d/abstractions/ubuntu-browsers
+++ b/apparmor.d/abstractions/ubuntu-browsers
@@ -40,3 +40,4 @@
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,
   /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-helpers b/apparmor.d/abstractions/ubuntu-helpers
index 6e89c14..25db13d 100644
--- a/apparmor.d/abstractions/ubuntu-helpers
+++ b/apparmor.d/abstractions/ubuntu-helpers
@@ -73,6 +73,10 @@ profile sanitized_helper {
   /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
   /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
   /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,

# Full access
/ r,

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-09-09:

#2

Thanks for the patch! I'll get this incorporated into the next apparmor upload.

Changed in apparmor (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-23:

#3

Download full text (4.5 KiB)

This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6

---------------
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium

  * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
    3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
    wrong directory in is_container_with_internal_policy(), which causes
    policy to always fail to load in containers. Thanks to Christian Ehrhardt
    for the analysis. (LP: #1895967)

apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium

  [ John Johansen ]
  * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
    fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
    parser to emit rules needed for change_hat in the hat profiles but
    broke the rule being emitted for the parent profile, this fixes it for
    both so that it is emitted for any profile that is a hat or that
    contains a hat.
  * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
    abstraction so that it allows access to the apparmor attribute paths
    under LSM stacking.

apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium

  [ John Johansen ]
  * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix
    parser not adding a rule to profiles if they are a hat or contain hats
    granting write access to the kernel interfaces.

apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium

  [ John Johansen ]
  * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841)
  * Drop all patches backported from upstream: applied in 3.0
  * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide
    example and base abi to pin pre 3.0 policy
  * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning
    of pre AppArmor 3.x policy
  * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer
    needed with upstream 'include if exists'

  [ Steve Beattie ]
  * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important
    now that groovy has a 5.8 kernel.
  * d/apparmor-profiles.install:
    + adjust for renamed postfix profiles
    + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles
    + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in
      apparmor-profiles)
  * d/apparmor.install: include abi/ directory and tunables/etc.
  * d/apparmor.manpages: add apparmor_xattrs.7 manpage
  * d/control:
    + apparmor-utils: no more shipped perl tools, drop perl dependency
    + apparmor-notify: aa-notify was converted to python3 from perl; adjust
      -notify dependencies to compensate
  * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch:
    fix sed expression in settest()

  [ Emilia Torino ]
  * Removing Ubuntu specific chromium-browser profile. This is safe to do
    since groovy's chromium-browser deb installs the snap. If apparmor3
    is backported to 18.04 or earlier, the profile will need to be taken
    into consideration
    - d/profiles/chromium-browser: remove chromium-browser profile
    - d/apparmor-profiles.postinst: remove postinst script as it only
      contains chromium-browser related functionallity.
    ...

This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6

---------------
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium

* Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
    3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
    wrong directory in is_container_with_internal_policy(), which causes
    policy to always fail to load in containers. Thanks to Christian Ehrhardt
    for the analysis. (LP: #1895967)

apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium

[ John Johansen ]
  * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
    fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
    parser to emit rules needed for change_hat in the hat profiles but
    broke the rule being emitted for the parent profile, this fixes it for
    both so that it is emitted for any profile that is a hat or that
    contains a hat.
  * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
    abstraction so that it allows access to the apparmor attribute paths
    under LSM stacking.

apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium

[ John Johansen ]
  * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix
    parser not adding a rule to profiles if they are a hat or contain hats
    granting write access to the kernel interfaces.

apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium

[ John Johansen ]
  * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841)
  * Drop all patches backported from upstream: applied in 3.0
  * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide
    example and base abi to pin pre 3.0 policy
  * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning
    of pre AppArmor 3.x policy
  * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer
    needed with upstream 'include if exists'

[ Steve Beattie ]
  * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important
    now that groovy has a 5.8 kernel.
  * d/apparmor-profiles.install:
    + adjust for renamed postfix profiles
    + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles
    + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in
      apparmor-profiles)
  * d/apparmor.install: include abi/ directory and tunables/etc.
  * d/apparmor.manpages: add apparmor_xattrs.7 manpage
  * d/control:
    + apparmor-utils: no more shipped perl tools, drop perl dependency
    + apparmor-notify: aa-notify was converted to python3 from perl; adjust
      -notify dependencies to compensate
  * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch:
    fix sed expression in settest()

[ Emilia Torino ]
  * Removing Ubuntu specific chromium-browser profile. This is safe to do
    since groovy's chromium-browser deb installs the snap. If apparmor3
    is backported to 18.04 or earlier, the profile will need to be taken
    into consideration
    - d/profiles/chromium-browser: remove chromium-browser profile
    - d/apparmor-profiles.postinst: remove postinst script as it only
      contains chromium-browser related functionallity.
    - d/apparmor-profiles.postrm: remove postrm script as it only
      contains chromium-browser related functionallity.
    - d/apparmor-profiles.install: remove ubuntu-specific
      chromium-browser abstraction and profile
    - d/apparmor-profiles.lintian-overrides: remove chromium-browser
      profile lintian overrides
    - d/p/ubuntu/add-chromium-browser.patch: remove patch which added
      chrome-browser

[ Alex Murray ]
  * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh
    this patch with the official upstream version
  * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this
    patch to match the above
  * d/p/parser-add-abi-warning-flags.patch: enable parser warnings
    to be silenced or to be treated as errors

[ Jamie Strandboge ]
  * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
    1.5.22. This can be dropped with AppArmor 3.0 final.
  * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings
  * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use
    abstractions/exo-open (LP: #1891338)
  * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu
    abstractions. Patch thanks to François Marier (LP: #1889699)
  * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run
    (LP: #1881357)

-- Jamie Strandboge <jamie@ubuntu.com>  Tue, 22 Sep 2020 15:10:33 +0000

Changed in apparmor (Ubuntu):
status:	In Progress → Fix Released

Ubuntu
apparmor package

Brave is not included in the Ubuntu helpers

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntuapparmor package

Brave is not included in the Ubuntu helpers

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
apparmor package