Ubuntu
apparmor package

apparmor profile should track new chromium-browser sandbox name

Bug #1247269 reported by Chad Miller on 2013-11-01

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Fix Released	Low	Chad Miller

Bug Description

Upstream is encoding the sandbox name in source instead of a compile time flag. Instead of tracking a new patch, I'm relenting and using the invisible "chrome-browser" name in the lib directory in packaging.

/etc/apparmor.d/usr.bin.chromium-browser
should add
/usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
and retain for a while the old line
/usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,

The security aspect of this is that lacking this will only make the syslog/dmesg more noisy. The cost of that is that users' attention is finite and precious.

Tags:

Related branches

lp:~cmiller/ubuntu/trusty/apparmor/chromium-new-sandbox-name

Approved for merging into lp:ubuntu/trusty/apparmor

Chad Miller (community): Disapprove on 2013-12-02

Jamie Strandboge: Approve on 2013-11-07

Ubuntu branches: Pending requested 2013-11-01

lp:ubuntu/trusty-proposed/apparmor

Chad Miller (cmiller) on 2013-11-01

Changed in apparmor (Ubuntu):
assignee:	nobody → Chad Miller (cmiller)

Chad Miller (cmiller) on 2013-11-01

Changed in apparmor (Ubuntu):
status:	New → In Progress

Revision history for this message

Simon Déziel (sdeziel) wrote on 2013-11-05:

@Chad, I run the chromium-browser on precise and there I found it needs your patch and some multiarch rules too. I've attached the complete diff.

$ apt-cache policy chromium-browser apparmor-profiles
chromium-browser:
  Installed: 30.0.1599.114-0ubuntu0.12.04.3
  Candidate: 30.0.1599.114-0ubuntu0.12.04.3
  Version table:
*** 30.0.1599.114-0ubuntu0.12.04.3 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     18.0.1025.151~r130497-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages
apparmor-profiles:
  Installed: 2.7.102-0ubuntu3.9
  Candidate: 2.7.102-0ubuntu3.9
  Version table:
*** 2.7.102-0ubuntu3.9 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3.7 0
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2013-11-05:

The attachment "Chromium sandbox name change + multiarch rules" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-11-08:

This bug was fixed in the package apparmor - 2.8.0-0ubuntu34

---------------
apparmor (2.8.0-0ubuntu34) trusty; urgency=low

  [ Tyler Hicks ]
  * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not
    include D-Bus rules in the binary policy that it loads into the kernel if
    the kernel does not support D-Bus rules (LP: #1231778)
  * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore
    audit events that it does not yet support instead of treating them as
    errors (LP: #1243932)
  * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor
    detection in regression tests after the multiarch changes

[ Jamie Strandboge ]
* 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3

  [ Chad Miller ]
  * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser
    sandbox name. Keep old name for now to allow transition. LP: #1247269
-- Tyler Hicks <email address hidden> Mon, 04 Nov 2013 15:57:30 -0800

Changed in apparmor (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Simon Déziel (sdeziel) wrote on 2013-11-12:

Chromium sandbox name change + multiarch rules Edit (1.3 KiB, text/plain)

More testing on precise showed that the subprofile also needs "Pxr" instead of just "r" for the chrome_sandbox executable. I've attached a corrected patch.