Chromium not working in guest session (need more AppArmor rules)

Bug #1504049 reported by Hadmut Danisch on 2015-10-08
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Unassigned
1.10
Medium
Unassigned
1.14
Medium
Unassigned
1.16
Medium
Unassigned
lightdm (Ubuntu)
Medium
Robert Ancell
Trusty
Medium
Robert Ancell
Vivid
Medium
Robert Ancell
Wily
Medium
Robert Ancell

Bug Description

[Impact]
Unable to run Chromium from guest session.

[Test Case]
1. Start Ubuntu
2. From greeter select guest session
3. Load Chromium

Expected result:
Chromium runs.

Observed result:
Chromium does not run.

[Regression Potential]
Low. The change is a few additional apparmor rules. There is a low risk that the new rules might allow a guest program to access a flaw.

Related branches

Hadmut Danisch (hadmut) wrote :
Hadmut Danisch (hadmut) wrote :
Hadmut Danisch (hadmut) wrote :

BTW: the logs say "ALLOWED", but still are annoying.

Chad Miller (cmiller) wrote :
Download full text (3.4 KiB)

apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/setgroups" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/uid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/gid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/setgroups" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/gid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/uid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32748/stat" comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=19 capname="sys_ptrace"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32766/stat" comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=19 capname="sys_ptrace"
apparmor="ALLOWED" operation="capable" profile="...

Read more...

Chad Miller (cmiller) wrote :

Please paste the output of

    $ dpkg -S $(grep -l -r chromium /etc/apparmor.d/)

Changed in chromium-browser (Ubuntu):
status: New → Incomplete
Chad Miller (cmiller) on 2015-10-12
Changed in chromium-browser (Ubuntu):
status: Incomplete → Confirmed
Chad Miller (cmiller) wrote :
Changed in lightdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
no longer affects: lightdm/trunk
Changed in lightdm:
importance: Undecided → Medium
status: New → Fix Committed
milestone: none → 1.17.0
Changed in lightdm (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm (Ubuntu Wily):
importance: Undecided → Medium
status: New → Triaged
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.16.4-0ubuntu1

---------------
lightdm (1.16.4-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Fix apparmor profiles for running Chromium in guest sessions
      (LP: #1504049)

 -- Robert Ancell <email address hidden> Tue, 13 Oct 2015 11:47:16 +0100

Changed in lightdm (Ubuntu Wily):
status: Triaged → Fix Released
Hadmut Danisch (hadmut) wrote :

# dpkg -S $(grep -l -r chromium /etc/apparmor.d/)
dpkg-query: no path found matching pattern /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
evince-common: /etc/apparmor.d/abstractions/evince
lightdm: /etc/apparmor.d/abstractions/lightdm
apparmor: /etc/apparmor.d/abstractions/private-files-strict
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers
apparmor: /etc/apparmor.d/abstractions/ubuntu-helpers
lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser
dpkg-query: no path found matching pattern /etc/apparmor.d/cache/usr.bin.chromium-browser
dpkg-query: no path found matching pattern /etc/apparmor.d/cache/lightdm-guest-session
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.chromium-browser
lightdm: /etc/apparmor.d/lightdm-guest-session
apparmor-profiles: /etc/apparmor.d/usr.bin.chromium-browser

Chad Miller (cmiller) wrote :

Hadmut, thank you, but I don't understand the significance of your comment. Can you elucidate what you intend us to know?

Hadmut Danisch (hadmut) wrote :

> Can you elucidate what you intend us to know?

Not really.

You had asked me in comment #5 to paste in the output of this command, and I did as requested.

I had no intention to transport a major message to the world, just to fulfill what I had been asked for.

Ah! I was worried it was some additional problem report after the package
was modified through the security update above. Thank you.

We think it should work for you after this update to lightdm is applied.

Could you please edit also the following directive in abstractions/lightdm_chromium-browser? I cannot close Chromium remotely with "killall chromium" from a guest session because it's currently disallowed to receive SIGTERM.

signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session

Robert Ancell (robert-ancell) wrote :

Laércio - can you open a new bug for this?

Laércio de Sousa (lbssousa) wrote :

OK, Robert!

summary: - apparmor rules too tight for chromium
+ Chromium not working in guest session (need more AppArmor rules)
Changed in lightdm:
status: Fix Committed → Fix Released
Changed in lightdm (Ubuntu Vivid):
assignee: nobody → Robert Ancell (robert-ancell)
status: Triaged → In Progress

Hello Hadmut, or anyone else affected,

Accepted lightdm into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.14.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Robert Ancell (robert-ancell) wrote :

On Vivid I could load ubuntu.com from Chromium in a guest account.

tags: added: verification-done-vivid
removed: verification-needed
Mathew Hodson (mathew-hodson) wrote :

It doesn't look like any of the fixes will be in the chromium-browser package. Can I remove that task from the bug?

Chad Miller (cmiller) on 2015-11-20
Changed in chromium-browser (Ubuntu):
status: Confirmed → Invalid
Changed in chromium-browser (Ubuntu Wily):
status: Confirmed → Invalid
no longer affects: chromium-browser (Ubuntu)
no longer affects: chromium-browser (Ubuntu Trusty)
no longer affects: chromium-browser (Ubuntu Vivid)
no longer affects: chromium-browser (Ubuntu Wily)
Chris J Arges (arges) wrote :

Hello Hadmut, or anyone else affected,

Accepted lightdm into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.10.6-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Robert Ancell (robert-ancell) wrote :

On Trusty I could load ubuntu.com from Chromium in a guest account.

tags: added: verification-done-trusty
removed: verification-needed
Changed in lightdm (Ubuntu Trusty):
assignee: nobody → Robert Ancell (robert-ancell)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.10.6-0ubuntu1

---------------
lightdm (1.10.6-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Handle trailing whitespace on boolean values in configuration.
      (LP: #1507033)
    - Use libaudit to generate audit events.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049)
    - Add LC_PAPER, LC_NAME, LC_ADDRESS, LC_TELEPHONE, LC_MEASUREMENT and
      LC_IDENTIFICATION variables to the list of inherited locale variables.
      (LP: #1511259)
    - Add a backup-logs option that can be used to disable existing logging
      files having a .old suffix added to them.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required. (LP: #1449282)
    - Use IP address of XDMCP requests to contact X server if available.
      (LP: #1481561)
    - Implement XDMCP ForwardQuery. (LP: #1511545)
    - Add an option for XDMCP and VNC servers to only listen on one address.
      (LP: #1390808)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Fix small memory leak in XDMCP logging code.
    - Fix typo in dm-tool man page. (LP: #1470587)
    - Use new Xmir binary when running X under Unity System Compositor.
    - Fix all the things that prevent clang (3.5) from building LightDM with
      -Werror.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:07:50 +1300

Changed in lightdm (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.14.4-0ubuntu1

---------------
lightdm (1.14.4-0ubuntu1) vivid; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:01:15 +1300

Changed in lightdm (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers