Ubuntu
apparmor package

AppArmor profile misses entries

Bug #1712044 reported by ts
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If Chromium is started, a plethora of AppArmor notifications are shown (apparmor-notify installed) and logged to syslog.

I would expect that these are included in the supplied AppArmor profile and no notifications/log entries appear.

Example in syslog:

kernel: [85217.346416] kauditd_printk_skb: 67 callbacks suppressed
kernel: [85217.346418] audit: type=1400 audit(1503309729.810:2095): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/setgroups" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346419] audit: type=1400 audit(1503309729.810:2096): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1110 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2097): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/gid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2098): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/uid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.347648] audit: type=1400 audit(1503309729.810:2099): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1069 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348429] audit: type=1400 audit(1503309729.814:2100): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348430] audit: type=1400 audit(1503309729.814:2101): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1111 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348431] audit: type=1400 audit(1503309729.814:2102): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/uid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348432] audit: type=1400 audit(1503309729.814:2103): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/gid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.654651] audit: type=1400 audit(1503309730.118:2104): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85262.883573] kauditd_printk_skb: 114 callbacks suppressed
kernel: [85262.883577] audit: type=1400 audit(1503309775.343:2219): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1299 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.883658] audit: type=1400 audit(1503309775.343:2220): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/dev/null" pid=1299 comm="tr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
kernel: [85262.883677] audit: type=1400 audit(1503309775.343:2221): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883697] audit: type=1400 audit(1503309775.343:2222): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883802] audit: type=1400 audit(1503309775.343:2223): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/etc/ld.so.cache" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883813] audit: type=1400 audit(1503309775.343:2224): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883826] audit: type=1400 audit(1503309775.343:2225): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.884160] audit: type=1400 audit(1503309775.347:2226): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/lib/locale/locale-archive" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.887590] audit: type=1400 audit(1503309775.347:2227): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1304 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.887684] audit: type=1400 audit(1503309775.347:2228): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1304 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85277.740804] kauditd_printk_skb: 21 callbacks suppressed
kernel: [85277.740807] audit: type=1400 audit(1503309790.203:2250): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/vmstat" pid=1069 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85277.874037] audit: type=1400 audit(1503309790.335:2251): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874082] audit: type=1400 audit(1503309790.335:2252): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874123] audit: type=1400 audit(1503309790.335:2253): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874177] audit: type=1400 audit(1503309790.335:2254): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1355/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874225] audit: type=1400 audit(1503309790.335:2255): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1356/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875432] audit: type=1400 audit(1503309790.335:2256): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875467] audit: type=1400 audit(1503309790.335:2257): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875501] audit: type=1400 audit(1503309790.335:2258): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875563] audit: type=1400 audit(1503309790.335:2259): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85287.429217] kauditd_printk_skb: 10 callbacks suppressed
kernel: [85287.429220] audit: type=1400 audit(1503309799.891:2270): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1142 comm="chromium-browse" capability=21 capname="sys_admin"

Release: Ubuntu 16.04.3 LTS
Package Version: chromium-browser 60.0.3112.78-0ubuntu0.16.04.1293

See original description
ts (tsdz)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should be fixed in Ubuntu 18.04 (about to be released this week).

affects: chromium-browser (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.