More resources must be added into Chromium profile

Bug #1101298 reported by Gökçen Eraslan on 2013-01-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

When I install apparmor-profiles package and set Chromium AppArmor profile to enforce mode, Chromium cannot detect the default browser and claims that it is not the default browser even though I set so. And I see this line in dmesg:

... type=1400 audit(1358526376.204:84): apparmor="DENIED" operation="exec" parent=6216 profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/gawk" pid=6220 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Now, there is only /usr/bin/mawk line in Chromium apparmor profile but users may use a different implementation thanks to the alternatives system.

In addition, my dmesg is flooded by these lines:

... type=1400 audit(1358527121.548:197): apparmor="DENIED" operation="open" parent=6072 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=8984 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

It would be nice to see "/sys/devices/system/**/cpufreq/cpuinfo_max_freq r," added to the profile.

My patch regarding the issue is attached.

Gökçen Eraslan (gkcn) wrote :
Gökçen Eraslan (gkcn) wrote :

It seems that adding gawk and cpuinfo_max_freq lines to the profile is not enough, chromium also needs lsb_release command and even more important gnome-control-center command to open up proxy settings.

Maybe its better to add /usr/bin/gnome-control-center in ux Access Mode.

affects: apparmor → apparmor-profiles
summary: - Chromium cannot detect the default browser in apparmor enforce mode if
- gawk is the default awk
+ Chromium profile needs more executables to be added
Gökçen Eraslan (gkcn) on 2013-01-18
summary: - Chromium profile needs more executables to be added
+ More resources must be added into Chromium profile
intrigeri (intrigeri) wrote :

This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know).

affects: apparmor-profiles → apparmor (Ubuntu)

The attachment "apparmor.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu5

apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)

 -- Jamie Strandboge <email address hidden> Tue, 17 Apr 2018 20:15:16 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers