Apparmor chromium profile denies loading policies

Bug #1419294 reported by Esokrates
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Steve Beattie

Bug Description

Profiles in /etc/chromium-browser/policies/managed or /etc/chromium-browser/policies/recommended are ignored when using the apparmor profile.

Syslog excerpt:

Feb 7 17:10:11 ubuntu kernel: [23893.781721] audit: type=1400 audit(1423325411.004:109): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/chromium-browser/policies/managed/policy.json" pid=16928 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

How to test:

Create a file policy.json in /etc/chromium-browser/policies/managed containing:

  "RestoreOnStartup": 1

start the browser and type in "about:policy". Normally you should see the policy being listed there, which is currently not the case because apparmor denies the reading the policy file.

Revision history for this message
Esokrates (esokrarkose) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: aa-policy
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers