update apparmor profiles for chromium browser

Bug #1219800 reported by Chad Miller on 2013-09-02
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Undecided
Unassigned

Bug Description

apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" pid=14545 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

apparmor="ALLOWED" operation="file_mmap" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" pid=14545 comm="chromium-browse" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/lib/i386-linux-gnu/libgcc_s.so.1" pid=14545 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

apparmor="ALLOWED" operation="file_mmap" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/lib/i386-linux-gnu/libgcc_s.so.1" pid=14545 comm="chromium-browse" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

Less important:

apparmor="ALLOWED" operation="exec" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/usr/bin/lsb_release" @@@@ comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//null-16"

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/etc/ld.so.cache" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-browser/" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-browser/libs/" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu1/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu2/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu3/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/present" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/etc/ld.so.cache" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Chad Miller (cmiller) on 2013-09-02
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
status: New → Confirmed
John Johansen (jjohansen) wrote :

For name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" change
    /usr/lib/libstdc++.so* mr,
to
   /usr/lib/{@{multiarch},}/libstdc++.so.* mr,

For name="/lib/i386-linux-gnu/libgcc_s.so.1" change
    /lib/libgcc_s.so* mr,
to
   /lib/{@{multiarch}/,}libgcc_s.so* mr,

For name="/usr/bin/lsb_release" add
    /usr/bin/lsb_release ix,

The GoogleTalkPlugin needs access to name="/sys/devices/system/cpu/cpu0/topology/core_id" and name="/sys/devices/system/cpu/present" add
    /sys/devices/system/cpu/cpu*/topology/core_id r,
    /sys/devices/system/cpu/present r,

For entries with profile="/usr/lib/chromium-browser/chromium-browser//null-XXX" where XXX is a number this is a learning profile where apparmor doesn't know which profile the access should be added to. We selected ix above so add these entries to the /usr/lib/chromium-browser/chromium-browser profile.

For name="/etc/ld.so.cache" add
    /etc/ld.so.cache r,

For name="/usr/lib/chromium-browser/" add
    /usr/lib/chromium-browser/ r,

For name="/usr/lib/chromium-browser/libs/" add
    /usr/lib/chromium-browser/libs/ r,

Chad Miller (cmiller) wrote :

A note for myself. Find yesterday's reported events with:

grep chromium-browser /var/log/kern.log |grep "$(date -d '1 day ago' +'^%Y-%m-%dT')" |cut -d\ -f7- |grep -v '^apparmor="STATUS" operation="profile_replace"'

Chad Miller (cmiller) on 2013-09-04
summary: - whitelist some apparmor messages for chromium browser
+ update apparmor profiles for chromium browser
Olivier Tilloy (osomon) on 2018-03-09
Changed in chromium-browser (Ubuntu):
assignee: Chad Miller (cmiller) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers