apparmor profile should track new chromium-browser sandbox name

Bug #1247269 reported by Chad Miller on 2013-11-01
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Chad Miller

Bug Description

Upstream is encoding the sandbox name in source instead of a compile time flag. Instead of tracking a new patch, I'm relenting and using the invisible "chrome-browser" name in the lib directory in packaging.

should add
  /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
and retain for a while the old line
  /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,

The security aspect of this is that lacking this will only make the syslog/dmesg more noisy. The cost of that is that users' attention is finite and precious.

Related branches

Chad Miller (cmiller) on 2013-11-01
Changed in apparmor (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
Chad Miller (cmiller) on 2013-11-01
Changed in apparmor (Ubuntu):
status: New → In Progress
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Chad, I run the chromium-browser on precise and there I found it needs your patch and some multiarch rules too. I've attached the complete diff.

$ apt-cache policy chromium-browser apparmor-profiles
  Installed: 30.0.1599.114-0ubuntu0.12.04.3
  Candidate: 30.0.1599.114-0ubuntu0.12.04.3
  Version table:
 *** 30.0.1599.114-0ubuntu0.12.04.3 0
        500 precise-updates/universe amd64 Packages
        500 precise-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     18.0.1025.151~r130497-0ubuntu1 0
        500 precise/universe amd64 Packages
  Installed: 2.7.102-0ubuntu3.9
  Candidate: 2.7.102-0ubuntu3.9
  Version table:
 *** 2.7.102-0ubuntu3.9 0
        500 precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3.7 0
        500 precise-security/main amd64 Packages
     2.7.102-0ubuntu3 0
        500 precise/main amd64 Packages

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Chromium sandbox name change + multiarch rules" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu34

apparmor (2.8.0-0ubuntu34) trusty; urgency=low

  [ Tyler Hicks ]
  * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not
    include D-Bus rules in the binary policy that it loads into the kernel if
    the kernel does not support D-Bus rules (LP: #1231778)
  * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore
    audit events that it does not yet support instead of treating them as
    errors (LP: #1243932)
  * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor
    detection in regression tests after the multiarch changes

  [ Jamie Strandboge ]
  * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3

  [ Chad Miller ]
  * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser
    sandbox name. Keep old name for now to allow transition. LP: #1247269
 -- Tyler Hicks <email address hidden> Mon, 04 Nov 2013 15:57:30 -0800

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Simon Déziel (sdeziel) wrote :

More testing on precise showed that the subprofile also needs "Pxr" instead of just "r" for the chrome_sandbox executable. I've attached a corrected patch.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers