chromium-browser fails to start (guest account, OpenVZ): "Failed to move to new PID namespace: Operation not permitted"

What is the error?

I have also noticed this issue in guest sessions on the Lucid 32-bit Desktop installation. When attempting to run Chromium from a terminal the following output is given:

guest@custard:~$ chromium-browser
Failed to move to new PID namespace: Operation not permitted

The only workaround I have found so far is to re-install Firefox for guest session browsing. If you need any more information, please just ask.

I assume that guest accounts can't run SUID binaries? Can you, for example, run ping?

SUID binaries are important for our default sandbox and I don't wish to encourage anyone to run without the sandbox enabled. We have another sandboxing technique in development, but it runs in conjunction with the SUID sandbox at the moment, not as an alternative. Over the long term we hope to retire the SUID one, but that won't happen soon.

In short, I believe that Firefox is probably the answer here for now. If this becomes a significant issue for many people then we could consider bodging it.

It might be worth some further consideration if Chromium becomes the default browser in Maverick (10.10). However, you guessed correctly as here is the output of a ping:

guest@custard:~$ ping www.google.com
ping: icmp open socket: Permission denied

Reassigning to the gdm-guest-session package as the apparmor profile in that package is probably what is blocking this.

This also seems to occur when running Chromium under an OpenVZ container -- not because suid is disallowed, but presumably because of some related priviledge used for the sandboxing..

The apparmor-caused issue of Guest account not being able to run suid programs is actually farther-reaching. Beyond chromium, ping, virtualbox, and other programs that require suid binaries. gksudo doesn't work, which means that most of the items on the System|Administration menu fail with no error message. For example, the guest user selects System|Administration|Synaptic, and nothing happens. Perhaps apparmor could display a friendly GUI error message, or perhaps gksudo could be called through a wrapper that presents a friendly GUI error message?

It is happening (suddenly) in OpenVZ for me, too, after having updated the OpenVZ kernel (linux-image-openvz-amd64 2.6.32+28 from Debian testing) and chromium-browser itself (chromium-browser 6.0.472.36~r55963-0ubuntu1~ucd1~hardy).

The workaround appears to be using "--no-sandbox".
Unfortunately this adds a warning/note during startup and is therefore not a good solution for my use case (browsershots.org instances).

@Chris:
1. Are you using the OpenVZ kernel from Ubuntu Hardy?
2. What chromium-browser package are you using?

This comment suggests a workaround:
  http://code.google.com/p/chromium/issues/detail?id=31077#c11

Since failure to move to a new PID namespace means you're no longer protected by the sandbox, we're reluctant to make it convenient to start in such a configuration.

@Daniel, I am currently using a custom kernel 2.6.32.14 compiled from openvz-belyayev. The host is 64-bit Lucid, the guest 32-bit Lucid. I just retested using the latest from the Lucid repository, chromium-browser_5.0.375.125~r53311-0ubuntu0.10.04.1_i386, with the same results.

Thanks, Evan, I have used the following now to make it work:
    dpkg-divert --add --rename --divert /usr/lib/chromium-browser/chromium-browser-sandbox.real /usr/lib/chromium-browser/chromium-browser-sandbox

@Chris: I'm just wondering if it's Chromium 6 or the kernel upgrade which triggered this for me.. I guess it's chromium though.

We have an upstream bug about this here:
  http://code.google.com/p/chromium/issues/detail?id=62248

Note that removing the sandbox makes Chromium on a guest account *less secure* than Chromium in a normal account.
A sandboxed Chromium does all of the page processing (HTML interpretation, running JavaScript) in a process that doesn't have access to the network or disk; by contrast, an apparmor-wrapper Chromium without a sandbox runs all of that at the same privilege as a normal app.

Would it be possible for chrome/chromium package to include an apparmour config that says that chrome suid binary is ok even when run from inside the guest account? (I don't know the limits of apparmour configuration.)

Yes it is possible. You specify a child profile in gdm-guest-session for chromium and transition to it when executing the binary.

Hello,

is there any follow up on this bug? I'm facing the same problem within a gdm guest session while launching google chrome.

Is it possible to have a pass-through profile for google-chrome within the gdm-guest-session. I mean a sub profile having with no rule only for google-chrome?

Regards

Works for me using
1. Google Chrome 8 (8.0.552.237) and
2. OpenVZ kernel from Debian Squeeze (linux-image-2.6.32-5+blueyed.1-openvz-amd64 2.6.32-31blueyed.1 - I have just applied a custom config).

The hardware node and the containers are running Debian Squeeze (basically).

Thanks for the reply Daniel.

I would like to know if it's possible to have a sub profile for a specific executable which has no policy?

Confirm that chromium-browser won't run in a guest session under 11.10. Same old problem: "Failed to move to new PID namespace: Operation not permitted" - whereupon it hangs.

Confirm this is still a problem in 12.04.

Ubuntu 12.04 i386 it still here.

First of all I apologize for my possible bad english.

Well I have the same problem and found some more information :

Description: Ubuntu 12:04:1 LTS
Release: 12.04
x86_64

When I look at my syslog file I found this line :

Aug 27 16:47:53 kernel: type=1400 audit(1346078873.846:2503): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" name="/proc/3574/oom_score_adj" pid=3574 comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=119 ouid=119
Aug 27 16:47:53 kernel: type=1400 audit(1346078873.846:2504): apparmor="DENIED" operation="capable" parent=3574 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" pid=3578 comm="chromium-browse" capability=21 capname="sys_admin"

Also when launching chromiun in a shell I get this error :
Failed to move to new PID namespace: Operation not permitted

When I try to fix this error by creating a child profile in apparmor I'm now with this error :
Failed to determine real pocess id of new "init" process

the new syslog :

Aug 27 23:03:29 kernel: [206330.553415] type=1400 audit(1346101409.730:6150): apparmor="DENIED" operation="open" parent=9565 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium" name="/proc/9854/oom_score_adj" pid=9854 comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=119 ouid=119
Aug 27 23:03:29 kernel: [206330.556458] type=1400 audit(1346101409.734:6151): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium" name="/proc/9859/status" pid=9859 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=119 ouid=0

I'm still working around but due to the lack of information on apparmor profile it's a little hard.
In attachment the profile I last use as an attempt to fix the bug.

Bug fix with the profile in attachment.

You can fix the bug by replacing the file /etc/apparmor.d/lightdm-guest-session by the one in attachment.

But I don't know how to fix it in the package of lightdm (seem to be a file provide by lightdm package)

Also before using my file as a way of fixing the bug I think we have to write the config file in a more appropriate way.

The attachment "apparmor profile for guest-session fixed for chromium launch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Status changed to 'Confirmed' because the bug affects multiple users.

Because to fix the bug it seems like to be a modification of the file /etc/apparmor.d/lightdm-guest-session provide by this package.

Well I work with some profile provide by the apparmor-profiles packages and succeed to fix the bug with separate file.

the archive as the following content :

drwxrwxr-x 0 2012-08-28 23:52 lightdm_chromium_fix/
-rw-rw-r-- 35978 2012-08-28 23:52 lightdm_chromium_fix/apparmor-profiles_2.7.102-0ubuntu3.1_all.deb
drwxrwxr-x 0 2012-08-28 23:40 lightdm_chromium_fix/etc/
drwxrwxr-x 0 2012-08-28 23:46 lightdm_chromium_fix/etc/apparmor.d/
drwxr-xr-x 0 2012-08-28 23:49 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/
-rw-r--r-- 3258 2012-08-28 23:42 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/java
-rw-r--r-- 6499 2012-08-28 23:49 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/usr.bin.chromium-browser
-rw-r--r-- 1863 2012-08-28 23:46 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session
-rw-rw-r-- 98446 2012-08-28 23:52 lightdm_chromium_fix/lightdm_1.2.1-0ubuntu1.1_amd64.deb

the two .deb has some file I worked with.

the folder lightdm_chromium_fix has all file required to fix the bug.

But the file java is just here because of his presence in apparmor-profiles and doesn't do annything. It's just that I wanted to get it worked because of his presence.

With the hope to be clear.

PS: I don't know what status to put now.

I hope that the patch gets into 12.10 since Chromium is the default in Lubuntu and arguable the browser is the most important application to use as a guest user. I had to install Firefox just for guests.

jeremiejig, thanks for your work on this. I think I am going to solve it in a different way however. It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished.

This bug was fixed in the package lightdm - 1.3.3-0ubuntu5

---------------
lightdm (1.3.3-0ubuntu5) quantal; urgency=low

  * debian/patches/08_lp1059510.patch: allow owner 'rw' access to
    /{,var/}run/user/guest-*/dconf/user. Also allow owner writes to sockets in
    /{,var/}run/user/guest-*/keyring-*/. (LP: #1059510)
  * debian/patches/09_lp577919-fix-chromium-launch.patch: allow launch of
    chromium-browser from guest session. (LP: #577919)
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 10:15:51 -0500

This bug was fixed in the package lightdm-remote-session-freerdp - 1.0-0ubuntu2

---------------
lightdm-remote-session-freerdp (1.0-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:00:31 -0500

This bug was fixed in the package lightdm-remote-session-uccsconfigure - 1.1-0ubuntu2

---------------
lightdm-remote-session-uccsconfigure (1.1-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:52:20 -0500

As of today (October 6) the bug still exists here on my ubuntu 12.04.1 amd64 fully updated

well that's normal because the bug was fixed and release for quantal version only.

No its not normal because the bug exist in Quantal as well.... I just found this bug report because i faced the problem in Quantal some minutes ago

Okay, so I install a fresh new install of Quantal on a VM for test.

I install chromium-browser, launch a guest-session, try to launch chromium-browser in the guest-session and it's working.

I don't that there are not some bug remaining, but as for me the program start and is usable.

Will this fix be released for Precise?

In theory if a system has support it should be released..
El 24/11/2012 14:10, "Hendrik Knackstedt" <email address hidden>
escribió:

> Will this fix be released for Precise?
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (924959).
> https://bugs.launchpad.net/bugs/577919
>
> Title:
> chromium-browser fails to start (guest account, OpenVZ): "Failed to
> move to new PID namespace: Operation not permitted"
>
> Status in Chromium Browser:
> Unknown
> Status in Light Display Manager:
> In Progress
> Status in OpenVZ kernel (patchset):
> Confirmed
> Status in “gdm-guest-session” package in Ubuntu:
> Confirmed
> Status in “lightdm” package in Ubuntu:
> Fix Released
> Status in “lightdm-remote-session-freerdp” package in Ubuntu:
> Fix Released
> Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
> Fix Released
>
> Bug description:
> Binary package hint: chromium-browser
>
> When i opened my guest account to let my friend to use the computer,
> he couldn't run chromium-browser.
>
> But it works ok when my user account is activated
>
> ProblemType: Bug
> DistroRelease: Ubuntu 10.04
> Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
> ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
> Uname: Linux 2.6.32-22-generic i686
> Architecture: i386
> Date: Sun May 9 19:49:44 2010
> InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
> ProcEnviron:
> LANG=tr_TR.utf8
> SHELL=/bin/bash
> SourcePackage: chromium-browser
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/chromium-browser/+bug/577919/+subscriptions
>

same problem here, i'm using google chrome stable and when i try to open as guest it does nothing, and when i try to open from console it says "Failed to move to new PID namespace: Operation not permitted" please fix it soon as possible, people are using my account to browse web, and no i won't use firefucks

Fixed in lightdm 1.5.1

Jamie, could you please upload your fix to precise-proposed?

Chormium works on 12.10 (previous version don't), and I'm happy :)
Thank you very much!

Long term support?!? Be nice for this fix to be applied to Precise.... Will probably end up using jeremiejig's fix for the time being (1,600 machines. Don't want to have to remove apparmor).

> Be nice for this fix to be applied to Precise....

ping

Can this fix *please* be backported to Precise?

We follow the Ubuntu recommendations in using LTS releases for our large computer, but we are hurting right now because we are unable to offer Google Chrome to our guest users.

This is a major bug! It breaks one of the most commonly used programs in Ubuntu.

Trying to use Ubuntu as a Kiosk platform. 13.04 doesn't work because the video is borked on our netbooks without nomodeset, which destroys the performance. I'd use 12.04 LTS, but Firefox doesn't work as guest on any version of ubuntu because it doesn't support proxy env vars. And on the LTS version... THIS? Is there a single version of Ubuntu that doesn't have a major show-stopping bug? Particularly with the ability to browse the internet? How can this be such a "low" priority when internet browsing is pretty much the whole point of the guest account? In this day, what function of the computer is more important than the internet browser? I don't want to admit that Windows ThinPC is a better kiosk platform than Ubuntu. But right now it is the only thing we can get working, and it is easy-peasy, where-as I've wasted close to two weeks trying to build a viable Ubuntu option, seemingly a simple task, due to all of these bugs...

Uploaded 1.2.3-0ubuntu2.2 to precise-proposed. It will be available in precise-proposed once ubuntu-sru reviews and approves it.

Hello lipstick, or anyone else affected,

Accepted lightdm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lightdm/1.2.3-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The patch in -proposed fixes the problem for me on Lubuntu 12.04. Can launch and use Chromium in guest session without problems now.

The version I tested is from -proposed, so it should be 1.2.3-0ubuntu2.2 according to apt.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package lightdm - 1.2.3-0ubuntu2.2

---------------
lightdm (1.2.3-0ubuntu2.2) precise-proposed; urgency=low

  * debian/patches/05_lp577919-fix-chromium-launch.patch: allow launch of
    chromium-browser from guest session. (LP: #577919)
  * debian/lightdm.postinst: reload apparmor profile on upgrade
 -- Jamie Strandboge <email address hidden> Tue, 11 Jun 2013 11:11:42 -0500

Hi,

I just noticed in the new changelog.gz that this was fixed in the earlier upgrade, yay!

thanks very much,
Hamish

... now about all those zombies ...? :)

Uh-oh. I'm seeing this again with lightdm 1.6.0-0ubuntu3 on ubuntu 13.04 guest sessions
with Google Chrome 28.0.1500.95. Perhaps the bug is back in a slightly new form?

@Dan

Can you report a new bug using 'ubuntu-bug apparmor' after using the guest session and testing chromium?

AND on 13.10. Four years, and nobody gives a damn about making it REALLY work.

So, what you're saying is "we introduced a "guest" login, but we don't really want it to be able to do anything (who on earth suggested "Firefox" was a reasonable workaround?).

So, I have a workaround. Forget about every using the "Guest" account. Create an a real user account, and remove the password. It's surely less secure, but it can actually do real work.

@auspex: could you please file a new bug about the problem you're seeing, so we can actually debug it? Chromium works fine for me in the guest account in 13.10, and this bug was fixed almost a year ago. If you're having issues with Chromium in the 13.10 guest account, it's an unrelated issue.