Google Chrome (not chromium) won't start in guest session

Bug #1298021 reported by Alan Pope 🍺🐧🐱 πŸ¦„ on 2014-03-26
26
This bug affects 6 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Medium
Jamie Strandboge

Bug Description

Related, but not a dupe of bug 577919
Install Google Chrome (not chromium) and switch to a guest session
Start chrome from a terminal
See the following error:-

"Failed to move to new PID namespace: Operation not permitted"

I see these apparmor denials:-

[Tue Mar 25 12:51:46 2014] type=1400 audit(1395861131.882:541): apparmor="DENIED" operation="capable" profile="/usr/lib/lightdm/lightdm-guest-session" pid=30034 comm="chrome-sandbox" capability=21 capname="sys_admin"
[Tue Mar 25 12:52:13 2014] type=1400 audit(1395861159.510:542): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/30062/oom_score_adj" pid=30062 comm="chrome" requested_mask="wc" denied_mask="wc" fsuid=130 ouid=130

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: lightdm 1.9.13-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-19.40-generic 3.13.6
Uname: Linux 3.13.0-19-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Mar 26 19:08:04 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2012-06-29 (634 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
SourcePackage: lightdm
UpgradeStatus: Upgraded to trusty on 2014-01-20 (65 days ago)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Changed in lightdm (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in lightdm (Ubuntu):
status: In Progress → Fix Committed
Adolfo Jayme (fitojb) on 2014-04-12
Changed in lightdm (Ubuntu):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.10.0-0ubuntu3

---------------
lightdm (1.10.0-0ubuntu3) trusty; urgency=medium

  * debian/patches/06_apparmor_chromium_updates.patch: allow oxide based
    browsers and Google Chrome to run in the guest session
    - LP: #1298021
    - LP: #1306560
 -- Jamie Strandboge <email address hidden> Fri, 11 Apr 2014 09:24:09 -0500

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
Martyn Welch (martyn-welch) wrote :

This bug seems to have creeped back in again:

[ 1214.105750] type=1400 audit(1407789724.679:88): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/4954/oom_score_adj" pid=4954 comm="chrome" requested_mask="wc" denied_mask="wc" fsuid=116 ouid=116
[ 1214.107233] type=1400 audit(1407789724.679:89): apparmor="DENIED" operation="capable" profile="/usr/lib/lightdm/lightdm-guest-session" pid=4961 comm="chrome-sandbox" capability=21 capname="sys_admin"

$ lsb_release -rd
Description: Ubuntu 14.04.1 LTS
Release: 14.04

$ apt-cache policy lightdm
lightdm:
  Installed: 1.10.1-0ubuntu1
  Candidate: 1.10.1-0ubuntu1
  Version table:
 *** 1.10.1-0ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.10.0-0ubuntu3 0
        500 http://gb.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Martyn Welch (martyn-welch) wrote :

Ah! It appears that Google have changed their packaging subtly, which has made the original patch ineffective.

Among other things, the original patch added the following lines to "/etc/apparmor.d/abstractions/lightdm_chromium-browser":

  /opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
  /opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
  /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,

At least in the version of chrome I have installed (google-chrome-stable 36.0.1985.143-1, from the repository at http://dl.google.com/linux/chrome/deb/), the binary is installed to "/opt/google/chrome/google-chrome". Adding the following additional line caused the browser to work in guest mode for me:

  /opt/google/chrome/google-chrome Cx -> chromium,

Mikko Rauhala (mjr-iki) wrote :

Confirmed that the bug exists once more. Martyn's fix works. Could that be packaged, perhaps?

Jamie Strandboge (jdstrand) wrote :

This will be fixed in the next lightdm upload.

Eric D (eric-dunbar) wrote :

This bug still seems to exist (25/1/2015).

Apologies if this is the wrong place to post this: just installed Edubuntu 14.04 (on 25/1/2015), let it install the updates.

Now I am trying to use Google Chrome (yuck; version 40.02214.91) in Guest mode. The error "Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted" pops up. Running /opt/google/chrome/google-chrome Cx -> chromium displays the same error.

Appending the flag --no-sandbox works but that pops up a warning in Chrome which I'd like to suppress (there's no point to the warning since Chrome, with that flag, will be running in the Guest login which gets wiped after each logout).

Jamie Strandboge (jdstrand) wrote :

Eric, this bug is closed and was fixed for the original bug. Can you file a new bug using 'ubuntu-bug apparmor' after you see the issue? Thanks.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers