Ubuntu
apparmor package

Bug #1712044
Comment #0

Comment 0 for bug 1712044

Revision history for this message

ts (tsdz) wrote on 2017-08-21:

If Chromium is started, a plethora of AppArmor notifications are shown (apparmor-notify installed) and loggeg to syslog.

I would expect that these are included in the supplied AppArmor profile and no notifications/log entries appear.

Example in syslog:

kernel: [85217.346416] kauditd_printk_skb: 67 callbacks suppressed
kernel: [85217.346418] audit: type=1400 audit(1503309729.810:2095): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/setgroups" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346419] audit: type=1400 audit(1503309729.810:2096): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1110 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2097): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/gid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2098): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/uid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.347648] audit: type=1400 audit(1503309729.810:2099): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1069 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348429] audit: type=1400 audit(1503309729.814:2100): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348430] audit: type=1400 audit(1503309729.814:2101): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1111 comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348431] audit: type=1400 audit(1503309729.814:2102): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/uid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348432] audit: type=1400 audit(1503309729.814:2103): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/gid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.654651] audit: type=1400 audit(1503309730.118:2104): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85262.883573] kauditd_printk_skb: 114 callbacks suppressed
kernel: [85262.883577] audit: type=1400 audit(1503309775.343:2219): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1299 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.883658] audit: type=1400 audit(1503309775.343:2220): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/dev/null" pid=1299 comm="tr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
kernel: [85262.883677] audit: type=1400 audit(1503309775.343:2221): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883697] audit: type=1400 audit(1503309775.343:2222): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883802] audit: type=1400 audit(1503309775.343:2223): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/etc/ld.so.cache" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883813] audit: type=1400 audit(1503309775.343:2224): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883826] audit: type=1400 audit(1503309775.343:2225): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.884160] audit: type=1400 audit(1503309775.347:2226): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/lib/locale/locale-archive" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.887590] audit: type=1400 audit(1503309775.347:2227): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1304 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.887684] audit: type=1400 audit(1503309775.347:2228): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1304 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85277.740804] kauditd_printk_skb: 21 callbacks suppressed
kernel: [85277.740807] audit: type=1400 audit(1503309790.203:2250): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/vmstat" pid=1069 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85277.874037] audit: type=1400 audit(1503309790.335:2251): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874082] audit: type=1400 audit(1503309790.335:2252): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874123] audit: type=1400 audit(1503309790.335:2253): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874177] audit: type=1400 audit(1503309790.335:2254): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1355/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874225] audit: type=1400 audit(1503309790.335:2255): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1356/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875432] audit: type=1400 audit(1503309790.335:2256): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875467] audit: type=1400 audit(1503309790.335:2257): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875501] audit: type=1400 audit(1503309790.335:2258): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875563] audit: type=1400 audit(1503309790.335:2259): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85287.429217] kauditd_printk_skb: 10 callbacks suppressed
kernel: [85287.429220] audit: type=1400 audit(1503309799.891:2270): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1142 comm="chromium-browse" capability=21 capname="sys_admin"

Release: Ubuntu 16.04.3 LTS
Package Version: chromium-browser 60.0.3112.78-0ubuntu0.16.04.1293

If Chromium is started, a plethora of AppArmor notifications are shown (apparmor-notify installed) and loggeg to syslog.

I would expect that these are included in the supplied AppArmor profile and no notifications/log entries appear.

Example in syslog:

kernel: [85217.346416] kauditd_printk_skb: 67 callbacks suppressed
kernel: [85217.346418] audit: type=1400 audit(1503309729.810:2095): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/setgroups" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346419] audit: type=1400 audit(1503309729.810:2096): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1110 comm="chromium-browse" capability=21  capname="sys_admin"
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2097): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/gid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2098): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/uid_map" pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.347648] audit: type=1400 audit(1503309729.810:2099): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1069 comm="chromium-browse" capability=21  capname="sys_admin"
kernel: [85217.348429] audit: type=1400 audit(1503309729.814:2100): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348430] audit: type=1400 audit(1503309729.814:2101): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1111 comm="chromium-browse" capability=21  capname="sys_admin"
kernel: [85217.348431] audit: type=1400 audit(1503309729.814:2102): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/uid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348432] audit: type=1400 audit(1503309729.814:2103): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/gid_map" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.654651] audit: type=1400 audit(1503309730.118:2104): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [85262.883573] kauditd_printk_skb: 114 callbacks suppressed
kernel: [85262.883577] audit: type=1400 audit(1503309775.343:2219): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1299 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.883658] audit: type=1400 audit(1503309775.343:2220): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/dev/null" pid=1299 comm="tr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
kernel: [85262.883677] audit: type=1400 audit(1503309775.343:2221): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883697] audit: type=1400 audit(1503309775.343:2222): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883802] audit: type=1400 audit(1503309775.343:2223): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/etc/ld.so.cache" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883813] audit: type=1400 audit(1503309775.343:2224): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883826] audit: type=1400 audit(1503309775.343:2225): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.884160] audit: type=1400 audit(1503309775.347:2226): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/lib/locale/locale-archive" pid=1299 comm="tr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.887590] audit: type=1400 audit(1503309775.347:2227): apparmor="ALLOWED" operation="exec" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/tr" pid=1304 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.887684] audit: type=1400 audit(1503309775.347:2228): apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr" name="/usr/bin/tr" pid=1304 comm="tr" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85277.740804] kauditd_printk_skb: 21 callbacks suppressed
kernel: [85277.740807] audit: type=1400 audit(1503309790.203:2250): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/vmstat" pid=1069 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85277.874037] audit: type=1400 audit(1503309790.335:2251): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874082] audit: type=1400 audit(1503309790.335:2252): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874123] audit: type=1400 audit(1503309790.335:2253): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874177] audit: type=1400 audit(1503309790.335:2254): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1355/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874225] audit: type=1400 audit(1503309790.335:2255): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1356/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875432] audit: type=1400 audit(1503309790.335:2256): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875467] audit: type=1400 audit(1503309790.335:2257): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875501] audit: type=1400 audit(1503309790.335:2258): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875563] audit: type=1400 audit(1503309790.335:2259): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85287.429217] kauditd_printk_skb: 10 callbacks suppressed
kernel: [85287.429220] audit: type=1400 audit(1503309799.891:2270): apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=1142 comm="chromium-browse" capability=21  capname="sys_admin"

Release: Ubuntu 16.04.3 LTS
Package Version: chromium-browser 60.0.3112.78-0ubuntu0.16.04.1293

Ubuntuapparmor package

Comment 0 for bug 1712044

Ubuntu
apparmor package