Ubuntu
chromium-browser package

update apparmor profiles for chromium browser

Bug #1219800 reported by Chad Miller
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" pid=14545 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

apparmor="ALLOWED" operation="file_mmap" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" pid=14545 comm="chromium-browse" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/lib/i386-linux-gnu/libgcc_s.so.1" pid=14545 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

apparmor="ALLOWED" operation="file_mmap" parent=22477 profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" name="/lib/i386-linux-gnu/libgcc_s.so.1" pid=14545 comm="chromium-browse" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

Less important:

apparmor="ALLOWED" operation="exec" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/usr/bin/lsb_release" @@@@ comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/chromium-browser/chromium-browser//null-16"

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/etc/ld.so.cache" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-browser/" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-browser/libs/" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu1/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu2/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu3/topology/core_id" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/present" @@@@ comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-browser/chromium-browser//null-16" name="/etc/ld.so.cache" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
status: New → Confirmed
Revision history for this message
John Johansen (jjohansen) wrote :

For name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" change
    /usr/lib/libstdc++.so* mr,
to
   /usr/lib/{@{multiarch},}/libstdc++.so.* mr,

For name="/lib/i386-linux-gnu/libgcc_s.so.1" change
    /lib/libgcc_s.so* mr,
to
   /lib/{@{multiarch}/,}libgcc_s.so* mr,

For name="/usr/bin/lsb_release" add
    /usr/bin/lsb_release ix,

The GoogleTalkPlugin needs access to name="/sys/devices/system/cpu/cpu0/topology/core_id" and name="/sys/devices/system/cpu/present" add
    /sys/devices/system/cpu/cpu*/topology/core_id r,
    /sys/devices/system/cpu/present r,

For entries with profile="/usr/lib/chromium-browser/chromium-browser//null-XXX" where XXX is a number this is a learning profile where apparmor doesn't know which profile the access should be added to. We selected ix above so add these entries to the /usr/lib/chromium-browser/chromium-browser profile.

For name="/etc/ld.so.cache" add
    /etc/ld.so.cache r,

For name="/usr/lib/chromium-browser/" add
    /usr/lib/chromium-browser/ r,

For name="/usr/lib/chromium-browser/libs/" add
    /usr/lib/chromium-browser/libs/ r,

Revision history for this message
Chad Miller (cmiller) wrote :

A note for myself. Find yesterday's reported events with:

grep chromium-browser /var/log/kern.log |grep "$(date -d '1 day ago' +'^%Y-%m-%dT')" |cut -d\ -f7- |grep -v '^apparmor="STATUS" operation="profile_replace"'

Chad Miller (cmiller)
summary: - whitelist some apparmor messages for chromium browser
+ update apparmor profiles for chromium browser
Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
assignee: Chad Miller (cmiller) → nobody
Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.