Oxide

apparmor confined applications with a WebView get a denial for sys_admin capability

Bug #1494176 reported by Olivier Tilloy on 2015-09-10

This bug report is a duplicate of: Bug #1447311: Disable unprivileged namespace sandbox. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Oxide	New	Undecided	Unassigned
	apparmor-easyprof-ubuntu (Ubuntu)	New	Undecided	Unassigned

Bug Description

Testing oxide 1.9.1 on arale, I created a simple click package that simply launches qmlview with the following bit of QML:

    import QtQuick 2.4
    import com.canonical.Oxide 1.9
    WebView {
        url: "http://example.org"
    }

The manifest for the app has policy groups "networking" and "webview", and the policy version is 1.3.

When I launch the app, it fails to start, and the app’s log is the following:

[0910/101904:FATAL:zygote_host_impl_linux.cc(182)] Check failed: process.IsValid(). Failed to launch zygote process

Looking into /var/log/syslog, I’m seeing the following denial:

Sep 10 10:19:28 ubuntu-phablet kernel: [ 320.255767] type=1400 audit(1441873168.850:197): apparmor="DENIED" operation="capable" profile="testwebview.osomon_testwebview_0.1" pid=4281 comm="qmlscene" capability=21 capname="sys_admin"

Revision history for this message

Olivier Tilloy (osomon) wrote on 2015-09-10:

Note that the same happens for any webapp, the webapp container fails to start because of the above denial.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1447311 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.