Chromium needs more access

Bug #1154164 reported by Simon Déziel on 2013-03-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Jamie Strandboge

Bug Description

When using the apparmor profile for Chromium I get the following logs:

Mar 11 21:08:30 simon-laptop kernel: [63629.304008] type=1400 audit(1363050510.703:147): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=28320 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:30 simon-laptop kernel: [63629.329904] type=1400 audit(1363050510.727:148): apparmor="ALLOWED" operation="open" parent=28324 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=28325 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.823702] type=1400 audit(1363050511.223:149): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-10/uevent" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.823879] type=1400 audit(1363050511.223:150): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-10/removable" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.823906] type=1400 audit(1363050511.223:151): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-10/size" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.824069] type=1400 audit(1363050511.223:152): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-1/uevent" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.824291] type=1400 audit(1363050511.223:153): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-1/removable" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.824321] type=1400 audit(1363050511.223:154): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-1/size" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.824435] type=1400 audit(1363050511.223:155): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-0/uevent" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:31 simon-laptop kernel: [63629.824736] type=1400 audit(1363050511.223:156): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/virtual/block/dm-0/removable" pid=28342 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 11 21:08:36 simon-laptop kernel: [63634.907161] audit_printk_skb: 51 callbacks suppressed
Mar 11 21:08:36 simon-laptop kernel: [63634.907167] type=1400 audit(1363050516.319:174): apparmor="ALLOWED" operation="exec" parent=28401 profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/gawk" pid=28405 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-60"

The attached patch extends the allowed rules to avoid those messages.

$ lsb_release -rd
Description: Ubuntu 12.04.2 LTS
Release: 12.04

$ apt-cache policy apparmor apparmor-profiles chromium-browser
apparmor:
  Installed: 2.7.102-0ubuntu3.8
  Candidate: 2.7.102-0ubuntu3.8
  Version table:
 *** 2.7.102-0ubuntu3.8 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3.7 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
apparmor-profiles:
  Installed: 2.7.102-0ubuntu3.8
  Candidate: 2.7.102-0ubuntu3.8
  Version table:
 *** 2.7.102-0ubuntu3.8 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3.7 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
chromium-browser:
  Installed: 25.0.1364.160-0ubuntu0.12.04.1
  Candidate: 25.0.1364.160-0ubuntu0.12.04.1
  Version table:
 *** 25.0.1364.160-0ubuntu0.12.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     18.0.1025.151~r130497-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages

Simon Déziel (sdeziel) wrote :

The attachment "usr.bin.chromium-browser.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Jamie Strandboge (jdstrand) wrote :

Thanks for your patch. I adjusted it a bit and uploaded it just now (though it needs to be accepted first).

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu11

---------------
apparmor (2.8.0-0ubuntu11) raring; urgency=low

  * 0025-update-pulseaudio-paths.patch: update path for pulseaudio directory
    and cookie files
  * 0026-add-vm_overcommit_memory.patch: add read access to
    @{PROC}/sys/vm/overcommit_memory
  * update 0001-add-chromium-browser.patch:
    - additional accesses required by newer chromium-browser. Patch based on
      work by Simon Deziel (LP: #1154164)
    - don't include abstractions already included via gnome abstraction
    - allow access to dconf/gsettings, required now
 -- Jamie Strandboge <email address hidden> Mon, 08 Apr 2013 14:57:14 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers