Chromium not working in guest session (need more AppArmor rules)

Bug #1504049 reported by Hadmut Danisch
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Medium
Unassigned
1.10
Fix Committed
Medium
Unassigned
1.14
Fix Released
Medium
Unassigned
1.16
Fix Released
Medium
Unassigned
lightdm (Ubuntu)
Fix Released
Medium
Robert Ancell
Trusty
Fix Released
Medium
Robert Ancell
Vivid
Fix Released
Medium
Robert Ancell
Wily
Fix Released
Medium
Robert Ancell

Bug Description

[Impact]
Unable to run Chromium from guest session.

[Test Case]
1. Start Ubuntu
2. From greeter select guest session
3. Load Chromium

Expected result:
Chromium runs.

Observed result:
Chromium does not run.

[Regression Potential]
Low. The change is a few additional apparmor rules. There is a low risk that the new rules might allow a guest program to access a flaw.

Related branches

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Hadmut Danisch (hadmut) wrote :

BTW: the logs say "ALLOWED", but still are annoying.

Revision history for this message
Chad Miller (cmiller) wrote :
Download full text (3.4 KiB)

apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/setgroups" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/uid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/gid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/setgroups" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/gid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32564/uid_map" comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32748/stat" comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=19 capname="sys_ptrace"
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/etc/xdg/xdg-xubuntu/xfce4/helpers.rc" comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/32766/stat" comm="BrowserBlocking" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" comm="chromium-browse" capability=19 capname="sys_ptrace"
apparmor="ALLOWED" operation="capable" profile="...

Read more...

Revision history for this message
Chad Miller (cmiller) wrote :

Please paste the output of

    $ dpkg -S $(grep -l -r chromium /etc/apparmor.d/)

Changed in chromium-browser (Ubuntu):
status: New → Incomplete
Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Chad Miller (cmiller) wrote :
Changed in lightdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
no longer affects: lightdm/trunk
Changed in lightdm:
importance: Undecided → Medium
status: New → Fix Committed
milestone: none → 1.17.0
Changed in lightdm (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm (Ubuntu Wily):
importance: Undecided → Medium
status: New → Triaged
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.16.4-0ubuntu1

---------------
lightdm (1.16.4-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Fix apparmor profiles for running Chromium in guest sessions
      (LP: #1504049)

 -- Robert Ancell <email address hidden> Tue, 13 Oct 2015 11:47:16 +0100

Changed in lightdm (Ubuntu Wily):
status: Triaged → Fix Released
Revision history for this message
Hadmut Danisch (hadmut) wrote :

# dpkg -S $(grep -l -r chromium /etc/apparmor.d/)
dpkg-query: no path found matching pattern /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
evince-common: /etc/apparmor.d/abstractions/evince
lightdm: /etc/apparmor.d/abstractions/lightdm
apparmor: /etc/apparmor.d/abstractions/private-files-strict
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers
apparmor: /etc/apparmor.d/abstractions/ubuntu-helpers
lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser
dpkg-query: no path found matching pattern /etc/apparmor.d/cache/usr.bin.chromium-browser
dpkg-query: no path found matching pattern /etc/apparmor.d/cache/lightdm-guest-session
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.chromium-browser
lightdm: /etc/apparmor.d/lightdm-guest-session
apparmor-profiles: /etc/apparmor.d/usr.bin.chromium-browser

Revision history for this message
Chad Miller (cmiller) wrote :

Hadmut, thank you, but I don't understand the significance of your comment. Can you elucidate what you intend us to know?

Revision history for this message
Hadmut Danisch (hadmut) wrote :

> Can you elucidate what you intend us to know?

Not really.

You had asked me in comment #5 to paste in the output of this command, and I did as requested.

I had no intention to transport a major message to the world, just to fulfill what I had been asked for.

Revision history for this message
Chad Miller (cmiller) wrote : Re: [Bug 1504049] Re: apparmor rules too tight for chromium

Ah! I was worried it was some additional problem report after the package
was modified through the security update above. Thank you.

We think it should work for you after this update to lightdm is applied.

Revision history for this message
Laércio de Sousa (lbssousa) wrote : Re: apparmor rules too tight for chromium

Could you please edit also the following directive in abstractions/lightdm_chromium-browser? I cannot close Chromium remotely with "killall chromium" from a guest session because it's currently disallowed to receive SIGTERM.

signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Laércio - can you open a new bug for this?

Revision history for this message
Laércio de Sousa (lbssousa) wrote :

OK, Robert!

summary: - apparmor rules too tight for chromium
+ Chromium not working in guest session (need more AppArmor rules)
Changed in lightdm:
status: Fix Committed → Fix Released
Changed in lightdm (Ubuntu Vivid):
assignee: nobody → Robert Ancell (robert-ancell)
status: Triaged → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Hadmut, or anyone else affected,

Accepted lightdm into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.14.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

On Vivid I could load ubuntu.com from Chromium in a guest account.

tags: added: verification-done-vivid
removed: verification-needed
Revision history for this message
Mathew Hodson (mhodson) wrote :

It doesn't look like any of the fixes will be in the chromium-browser package. Can I remove that task from the bug?

Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
status: Confirmed → Invalid
Changed in chromium-browser (Ubuntu Wily):
status: Confirmed → Invalid
Mathew Hodson (mhodson)
no longer affects: chromium-browser (Ubuntu)
no longer affects: chromium-browser (Ubuntu Trusty)
no longer affects: chromium-browser (Ubuntu Vivid)
no longer affects: chromium-browser (Ubuntu Wily)
Revision history for this message
Chris J Arges (arges) wrote :

Hello Hadmut, or anyone else affected,

Accepted lightdm into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.10.6-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

On Trusty I could load ubuntu.com from Chromium in a guest account.

tags: added: verification-done-trusty
removed: verification-needed
Changed in lightdm (Ubuntu Trusty):
assignee: nobody → Robert Ancell (robert-ancell)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.10.6-0ubuntu1

---------------
lightdm (1.10.6-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Handle trailing whitespace on boolean values in configuration.
      (LP: #1507033)
    - Use libaudit to generate audit events.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049)
    - Add LC_PAPER, LC_NAME, LC_ADDRESS, LC_TELEPHONE, LC_MEASUREMENT and
      LC_IDENTIFICATION variables to the list of inherited locale variables.
      (LP: #1511259)
    - Add a backup-logs option that can be used to disable existing logging
      files having a .old suffix added to them.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required. (LP: #1449282)
    - Use IP address of XDMCP requests to contact X server if available.
      (LP: #1481561)
    - Implement XDMCP ForwardQuery. (LP: #1511545)
    - Add an option for XDMCP and VNC servers to only listen on one address.
      (LP: #1390808)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Fix small memory leak in XDMCP logging code.
    - Fix typo in dm-tool man page. (LP: #1470587)
    - Use new Xmir binary when running X under Unity System Compositor.
    - Fix all the things that prevent clang (3.5) from building LightDM with
      -Werror.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:07:50 +1300

Changed in lightdm (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.14.4-0ubuntu1

---------------
lightdm (1.14.4-0ubuntu1) vivid; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:01:15 +1300

Changed in lightdm (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers