Ubuntu
apparmor package

chromium needs to be able to execute its own sandbox binary to function

Bug #1273607 reported by Nick Moffitt on 2014-01-28

This bug report is a duplicate of: Bug #1247269: apparmor profile should track new chromium-browser sandbox name. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

[1535661.818433] type=1400 audit(1390900754.319:5783451): apparmor="DENIED" operation="exec" parent=7938 profile="/usr/lib/chromium-browser/chromium-browser" name="/usr/lib/chromium-browser/chrome-sandbox" pid=22049 comm="chromium-browse" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

When /usr/bin/chromium-browser is in enforce mode in saucy (and presumably trusty still has this problem), it is unable to launch its own sandbox executable. This makes things like opening new tabs and going into incognito mode impossible.

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: apparmor-profiles 2.8.0-0ubuntu31.1
ProcVersionSignature: Ubuntu 3.11.0-15.23-generic 3.11.10
Uname: Linux 3.11.0-15-generic x86_64
ApportVersion: 2.12.5-0ubuntu2.2
Architecture: amd64
Date: Tue Jan 28 09:32:02 2014
EcryptfsInUse: Yes
MarkForUpload: True
PackageArchitecture: all
ProcKernelCmdline: root=UUID=5237fceb-23d0-412d-84d9-b8f8b3bf28af ro quiet splash
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to saucy on 2013-09-17 (132 days ago)
modified.conffile..etc.apparmor.d.usr.bin.chromium.browser: [modified]
mtime.conffile..etc.apparmor.d.usr.bin.chromium.browser: 2014-01-28T09:20:40.838649

Tags:

Revision history for this message

Nick Moffitt (nick-moffitt) wrote on 2014-01-28:

ApparmorPackages.txt Edit (306 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (715.7 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (3.2 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (2.2 MiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (133 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (34.5 KiB, text/plain; charset="utf-8")

Revision history for this message

Nick Moffitt (nick-moffitt) wrote on 2014-01-28:

I found this in the profile:

  # Allow transitions to ourself and our sandbox
  /usr/lib/chromium-browser/chromium-browser ix,
  /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,

This seems to have become insufficient somehow. In the chromium_browser_sandbox profile:

/usr/lib/chromium-browser/chromium-browser-sandbox r,

So is it just that a sandbox process can't start another one?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-02-28:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status:	New → Confirmed

Revision history for this message

Foivos Zakkak (foivos) wrote on 2014-02-28:

It looks like the sandbox is called chrome-sandbox and not chromium-browser-sandbox anymore

Revision history for this message

Foivos Zakkak (foivos) wrote on 2014-02-28:

usr.bin.chromium-browser.patch Edit (1.6 KiB, text/plain)

Please try this patch and let me know.

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2014-02-28:

The attachment "usr.bin.chromium-browser.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch