[snap] apparmor denials on /etc/chromium-browser/policies/

Bug #1714244 reported by Olivier Tilloy on 2017-08-31
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Medium
Olivier Tilloy

Bug Description

[1565519.440403] audit: type=1400 audit(1504185084.568:68574811): apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/managed/" pid=19433 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[1565519.440527] audit: type=1400 audit(1504185084.568:68574812): apparmor="ALLOWED" operation="open" profile="snap.chromium.chromium" name="/etc/chromium-browser/policies/recommended/" pid=19433 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Those denials don't appear to prevent the app from running. Still, they should be investigated and fixed if possible.

Olivier Tilloy (osomon) wrote :

The code in chromium that determines where to look for policies is there: https://cs.chromium.org/chromium/src/chrome/common/chrome_paths.cc?l=482.

In the ubuntu packages this is being patched to "/etc/chromium-browser/policies/": http://bazaar.launchpad.net/~chromium-team/chromium-browser/artful-stable/view/head:/debian/patches/configuration-directory.patch.

That patch could be made $SNAP-aware.

That directory is meant for system-wide policies installed by sysadmins, not regular users. In that regard, there is little value in patching it to point to $SNAP/etc/chromium-browser/policies/, since that directory is not writeable.
There doesn't appear to be any way in chromium to disable the instantiation of the policy connector that queries those directories.

Olivier Tilloy (osomon) wrote :

Given that the denials are harmless and that getting rid of them would require a patch that wouldn't enable sysadmins to actually implement custom policies, I'll lower the importance of that bug.

Changed in chromium-browser (Ubuntu):
importance: Medium → Low
assignee: Olivier Tilloy (osomon) → nobody
Joachim Sauer (saua) wrote :

Is there a separate bug somewhere about actually implementing custom policies? Since 19.10 switched Chromium to Snap this means that not having those is an actual regression compared to 18.10 or 19.04, so I'd say this warrants a slightly higher priority now.

Olivier Tilloy (osomon) wrote :

@Joachim: there's no separate bug for this yet, but you're right that this needs attention. Would you mind filing one to track this separately? If you can attach examples of custom policies that would be great, too.

Olivier Tilloy (osomon) wrote :

A separate bug was filed: bug #1866732.

Oliver Grawert (ogra) wrote :

is there any particular reason to not simply adjust the patch to point to $SNAP_DATA/etc/chromium-browser/policies ? after all this is where system-wide configs should go ...

Olivier Tilloy (osomon) wrote :

You're right Oliver, the patch should be adjusted to look for policies in $SNAP_DATA.

Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
importance: Low → Medium
Olivier Tilloy (osomon) wrote :

And for migration purposes, ideally the existing policies in /etc/chromium-browser/policies would be copied over to $SNAP_DATA/.

Damien Clabaut (dclabaut) wrote :

Is there any update or workaround on this issue? This is going to be a problem to everyone in enterprise environments.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers