apparmor chromium profile blocks yubikeys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi,
some months ago (can't give a precise date) I could use all my pure u2f tokens, as well as Yubikey tokens with mixed apps (yubikey 4, yubikey neo) pretty well with chromium browser as u2f tokens.
For some months now and since an update of the chromium-browser in 18.04, it was working with pure u2f tokens (e.g. the blue yubikeys, FIDO u2f token,...), but not with regular yubikeys anymore, although command line tools like u2f-host worked pretty well.
I checked the kernel messages and did not find any apparmor deny message or other reasons. Furthermore, the apparmor profile for usr.bin.
Now I did again some debugging and found that the problem is gone after
aa-disable usr.bin.
Although the profile was in complain mode and dmesg did not show any forbidden actions, the strace showed some EPERM (Operation not permitted) errors, that's why I tried to disable aa.
Interestingly, this problem does not affect regular u2f tokens, just the yubikeys with additional functions.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apparmor-profiles 2.12-4ubuntu5.1
ProcVersionSign
Uname: Linux 4.15.0-47-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
CurrentDesktop: LXDE
Date: Thu Apr 18 11:14:22 2019
InstallationDate: Installed on 2018-04-30 (352 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
PackageArchitec
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
UpgradeStatus: No upgrade log present (probably fresh install)
KernLog.txt contains several ALLOWED lines for chromium, and also DENIED lines for firefox (unrelated to this bugreport, but nevertheless we should probably check them.
You mentioned that you got some EPERM in strace - can you please tell us which files were affeted?
Wild guess: maybe those files were covered by "deny" rules in the firefox profile or an abstraction. (deny rules get enforced even in complain mode, and silence the logging.)