2016-05-27 22:04:45 |
Chad Miller |
bug |
|
|
added bug |
2016-05-27 22:05:51 |
Chad Miller |
attachment added |
|
apparmor denials in simple run. https://bugs.launchpad.net/snappy/+bug/1586547/+attachment/4671628/+files/chrompolicy |
|
2016-05-27 22:06:19 |
Chad Miller |
description |
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser.
apparmor="ALLOWED" operation="capable" profile="snap.chromium.chromium" pid=NNNNN comm="chromium-browse" capability=21 capname="sys_admin"
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="mknod" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/policy.json" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=NNNNN comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/setgroups" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/uid_map" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/python3.5.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/usr/share/applications/vim.desktop" pid=NNNNN comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/applications/" pid=NNNNN comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/var/tmp/" pid=NNNNN comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="truncate" profile="snap.chromium.chromium" name="/proc/17939/oom_score_adj" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_FileUser" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="unlink" profile="snap.chromium.chromium" name="/dev/.org.chromium.Chromium.NNNNNN" pid=NNNNN comm="Chrome_IOThread" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000 |
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser. |
|
2016-05-31 17:28:57 |
Jamie Strandboge |
tags |
|
snapd-interface |
|
2016-05-31 17:29:16 |
Jamie Strandboge |
summary |
snappy needs security policy for chromium |
allow chromium to use user namespaces in its sandbox |
|
2016-05-31 17:31:09 |
Jamie Strandboge |
description |
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser. |
AppArmor is blocking chromium's use of user namespaces:
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/setgroups" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/proc/NNNNN/uid_map" pid=NNNNN comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
As a workaround, chromium can disable its sandbox when running under snapd. Longer term snapd should leverage the apparmor stacking work to allow snaps to setup user namespaces via interfaces.
= Original text =
As I understand it, we plan to punch holes in AA and seccomp specifically for a new chromium profile. From devmode, I extracted the apparmor denials for chromium browser. |
|
2016-05-31 17:31:14 |
Jamie Strandboge |
snappy: status |
New |
Triaged |
|
2016-05-31 17:31:18 |
Jamie Strandboge |
snappy: importance |
Undecided |
Medium |
|
2016-06-29 13:42:14 |
Jamie Strandboge |
summary |
allow chromium to use user namespaces in its sandbox |
allow applications to use user namespaces in its sandbox |
|
2016-08-05 20:14:25 |
Jamie Strandboge |
snappy: status |
Triaged |
In Progress |
|
2016-08-05 20:14:27 |
Jamie Strandboge |
snappy: assignee |
|
Jamie Strandboge (jdstrand) |
|
2016-08-05 21:38:33 |
Jamie Strandboge |
summary |
allow applications to use user namespaces in its sandbox |
allow browsers to use user namespaces in its sandbox |
|
2016-08-08 13:37:11 |
Jamie Strandboge |
snappy: status |
In Progress |
Fix Committed |
|
2016-08-26 14:04:09 |
Jamie Strandboge |
snappy: status |
Fix Committed |
Fix Released |
|
2016-08-26 14:38:05 |
Zygmunt Krynicki |
snappy: milestone |
|
2.12 |
|