Comment 0 for bug 1228236

When a webapp is launched via the upstart job, it re-execs itself, causing an apparmor denial and failure to launch the browser:

First, install the facebook app from the appstore.

Then, from adb shell:
root@ubuntu-phablet:/# sudo -H -u phablet -i
phablet@ubuntu-phablet:~$ start application APP_ID=com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0

This results in the following denial in /var/log/syslog:
Sep 20 15:58:17 ubuntu-phablet kernel: [ 6505.474410] type=1400 audit(1379692697.211:80): apparmor="DENIED" operation="exec" parent=1479 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0" name="/usr/bin/webbrowser-app" pid=6248 comm="sh" requested_mask="x" denied_mask="x" fsuid=32011 ouid=0

Adding the following rule to /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0:
  /usr/bin/webbrowser-app rmix,

and reloading policy with 'sudo apparmor_parser -r /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0' works around the issue.

This is a harmless addition to the ubuntu-webapp template, so I will do that. However I'm concerned that HTML5/PhoneGap apps that use a webview may also suffer from this, so it is worth investigating.