[snap] apparmor denials on /etc/chromium-browser/policies/

Bug #1714244 reported by Olivier Tilloy on 2017-08-31
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)

Bug Description

[1565519.440403] audit: type=1400 audit(1504185084.568:68574811): apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=19433 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[1565519.440527] audit: type=1400 audit(1504185084.568:68574812): apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=19433 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Those denials don't appear to prevent the app from running. Still, they should be investigated and fixed if possible.

Olivier Tilloy (osomon) wrote :

The code in chromium that determines where to look for policies is there: https://cs.chromium.org/chromium/src/chrome/common/chrome_paths.cc?l=482.

In the ubuntu packages this is being patched to "/etc/chromium-browser/policies/": http://bazaar.launchpad.net/~chromium-team/chromium-browser/artful-stable/view/head:/debian/patches/configuration-directory.patch.

That patch could be made $SNAP-aware.

That directory is meant for system-wide policies installed by sysadmins, not regular users. In that regard, there is little value in patching it to point to $SNAP/etc/chromium-browser/policies/, since that directory is not writeable.
There doesn't appear to be any way in chromium to disable the instantiation of the policy connector that queries those directories.

Olivier Tilloy (osomon) wrote :

Given that the denials are harmless and that getting rid of them would require a patch that wouldn't enable sysadmins to actually implement custom policies, I'll lower the importance of that bug.

Changed in chromium-browser (Ubuntu):
importance: Medium → Low
assignee: Olivier Tilloy (osomon) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers