2012-12-18 21:23:16 |
Jamie Strandboge |
bug |
|
|
added bug |
2012-12-18 21:23:42 |
Jamie Strandboge |
summary |
chromium-browser profile is too noisy |
chromium-browser profile is too noisy with chromium-browser 23 |
|
2012-12-18 21:24:09 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Quantal |
|
2012-12-18 21:24:09 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Quantal) |
|
2012-12-18 21:24:09 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Raring |
|
2012-12-18 21:24:09 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Raring) |
|
2012-12-18 21:24:23 |
Jamie Strandboge |
apparmor (Ubuntu Quantal): status |
New |
In Progress |
|
2012-12-18 21:24:23 |
Jamie Strandboge |
apparmor (Ubuntu Quantal): assignee |
|
Jamie Strandboge (jdstrand) |
|
2012-12-18 21:24:36 |
Jamie Strandboge |
apparmor (Ubuntu Raring): status |
New |
In Progress |
|
2012-12-18 21:24:36 |
Jamie Strandboge |
apparmor (Ubuntu Raring): assignee |
|
Jamie Strandboge (jdstrand) |
|
2012-12-18 21:29:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Oneiric |
|
2012-12-18 21:29:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Oneiric) |
|
2012-12-18 21:29:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Precise |
|
2012-12-18 21:29:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Precise) |
|
2012-12-18 21:30:41 |
Jamie Strandboge |
apparmor (Ubuntu Oneiric): status |
New |
In Progress |
|
2012-12-18 21:30:41 |
Jamie Strandboge |
apparmor (Ubuntu Oneiric): assignee |
|
Jamie Strandboge (jdstrand) |
|
2012-12-18 21:30:51 |
Jamie Strandboge |
apparmor (Ubuntu Precise): status |
New |
In Progress |
|
2012-12-18 21:30:54 |
Jamie Strandboge |
apparmor (Ubuntu Precise): assignee |
|
Jamie Strandboge (jdstrand) |
|
2012-12-18 21:54:32 |
Jamie Strandboge |
apparmor (Ubuntu Raring): status |
In Progress |
Fix Committed |
|
2012-12-18 22:02:08 |
Jamie Strandboge |
description |
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.680157] type=1400 audit(1355865197.303:208): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/udev/udev.conf" pid=11711 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717497] type=1400 audit(1355865197.339:209): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/udev/udev.conf" pid=11707 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717580] type=1400 audit(1355865197.339:210): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/pci0000:00/0000:00:04.0/virtio1/block/vda/vda1/uevent" pid=11707 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
...
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153758] type=1400 audit(1355865277.775:229): apparmor="DENIED" operation="open" parent=10823 profile="/usr/lib/chromium-browser/chromium-browser" name="/run/udev/data/b253:1" pid=11813 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153856] type=1400 audit(1355865277.775:230): apparmor="DENIED" operation="open" parent=10823 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/pci0000:00/0000:00:04.0/virtio1/block/vda/removable" pid=11813 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 |
[Impact]
Enabling the chromium-browser profile results in denials with normal usage. The fix in the development release adds:
@{PROC}/[0-9]*/smaps r,
@{PROC}/[0-9]*/statm r,
/etc/udev/udev.conf r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/uevent r,
# This is requested, but doesn't seem to actually be needed so deny for now
deny /run/udev/data/** r,
[Test Case]
1. install apparmor-profiles and chromium-browser
2. enable the chromium-browser profile
3. start chromium. Several denials will show up in /var/log/kern.log without this patch. Note that the patch adds additional accesses needed for the upcoming chromium-browser 23
[Regression Potential]
Regression potential is very low. The chromium-browser profile is not installed by default and when it is installed, the user must enable it. Furthermore, the changes to the profile only provide additional accesses (there is a 'deny' rule, but this is to silence logging the denial).
= Original report =
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.680157] type=1400 audit(1355865197.303:208): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/udev/udev.conf" pid=11711 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717497] type=1400 audit(1355865197.339:209): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/udev/udev.conf" pid=11707 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717580] type=1400 audit(1355865197.339:210): apparmor="DENIED" operation="open" parent=11001 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/pci0000:00/0000:00:04.0/virtio1/block/vda/vda1/uevent" pid=11707 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
...
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153758] type=1400 audit(1355865277.775:229): apparmor="DENIED" operation="open" parent=10823 profile="/usr/lib/chromium-browser/chromium-browser" name="/run/udev/data/b253:1" pid=11813 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153856] type=1400 audit(1355865277.775:230): apparmor="DENIED" operation="open" parent=10823 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/pci0000:00/0000:00:04.0/virtio1/block/vda/removable" pid=11813 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 |
|
2012-12-18 22:02:29 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-12-18 22:15:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/raring-proposed/apparmor |
|
2012-12-18 22:54:12 |
Launchpad Janitor |
apparmor (Ubuntu Raring): status |
Fix Committed |
Fix Released |
|
2012-12-19 15:07:41 |
Jamie Strandboge |
apparmor (Ubuntu Oneiric): status |
In Progress |
Fix Committed |
|
2012-12-19 15:07:54 |
Jamie Strandboge |
apparmor (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2012-12-19 15:10:40 |
Marius B. Kotsbak |
bug |
|
|
added subscriber Marius Kotsbak |
2012-12-19 22:27:12 |
Launchpad Janitor |
apparmor (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2012-12-19 22:27:24 |
Launchpad Janitor |
apparmor (Ubuntu Oneiric): status |
Fix Committed |
Fix Released |
|
2012-12-19 22:44:52 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-security/apparmor |
|
2012-12-19 23:02:05 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/oneiric-updates/apparmor |
|
2013-01-07 14:09:09 |
Colin Watson |
apparmor (Ubuntu Quantal): status |
In Progress |
Fix Committed |
|
2013-01-07 14:09:14 |
Colin Watson |
bug |
|
|
added subscriber SRU Verification |
2013-01-07 14:09:17 |
Colin Watson |
tags |
|
verification-needed |
|
2013-01-07 14:48:53 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/quantal-proposed/apparmor |
|
2013-04-08 17:20:56 |
Brian Murray |
tags |
verification-needed |
removal-candidate verification-needed |
|
2013-04-13 02:07:19 |
Seth Arnold |
tags |
removal-candidate verification-needed |
removal-candidate verification-done |
|
2013-04-30 04:53:20 |
Scott Kitterman |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2013-04-30 04:54:14 |
Launchpad Janitor |
apparmor (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
2013-07-08 18:32:45 |
Launchpad Janitor |
branch linked |
|
lp:~kees/apparmor/debian |
|