Apparmor chromium profile denies loading policies

Bug #1419294 reported by Esokrates on 2015-02-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Steve Beattie

Bug Description

Profiles in /etc/chromium-browser/policies/managed or /etc/chromium-browser/policies/recommended are ignored when using the apparmor profile.

Syslog excerpt:

Feb 7 17:10:11 ubuntu kernel: [23893.781721] audit: type=1400 audit(1423325411.004:109): apparmor="DENIED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/etc/chromium-browser/policies/managed/policy.json" pid=16928 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

How to test:

Create a file policy.json in /etc/chromium-browser/policies/managed containing:

  "RestoreOnStartup": 1

start the browser and type in "about:policy". Normally you should see the policy being listed there, which is currently not the case because apparmor denies the reading the policy file.

Esokrates (esokrarkose) wrote :

The attachment "patch.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: aa-policy
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers