This results in the following denial in /var/log/syslog:
Sep 20 15:58:17 ubuntu-phablet kernel: [ 6505.474410] type=1400 audit(1379692697.211:80): apparmor="DENIED" operation="exec" parent=1479 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0" name="/usr/bin/webbrowser-app" pid=6248 comm="sh" requested_mask="x" denied_mask="x" fsuid=32011 ouid=0
Adding the following rule to /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0:
/usr/bin/webbrowser-app rmix,
and reloading policy with 'sudo apparmor_parser -r /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0' works around the issue.
This is a harmless addition to the ubuntu-webapp template, so I will do that. However I'm concerned that HTML5/PhoneGap apps that use a webview may also suffer from this, so it is worth investigating.
When a webapp is launched via the upstart job, it re-execs itself, causing an apparmor denial and failure to launch the browser:
First, install the facebook app from the appstore.
Then, from adb shell: phablet: /# sudo -H -u phablet -i ubuntu- phablet: ~$ start application APP_ID= com.ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0
root@ubuntu-
phablet@
This results in the following denial in /var/log/syslog: 7.211:80) : apparmor="DENIED" operation="exec" parent=1479 profile= "com.ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0" name="/ usr/bin/ webbrowser- app" pid=6248 comm="sh" requested_mask="x" denied_mask="x" fsuid=32011 ouid=0
Sep 20 15:58:17 ubuntu-phablet kernel: [ 6505.474410] type=1400 audit(137969269
Adding the following rule to /var/lib/ apparmor/ profiles/ click_com. ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0: bin/webbrowser- app rmix,
/usr/
and reloading policy with 'sudo apparmor_parser -r /var/lib/ apparmor/ profiles/ click_com. ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0' works around the issue.
This is a harmless addition to the ubuntu-webapp template, so I will do that. However I'm concerned that HTML5/PhoneGap apps that use a webview may also suffer from this, so it is worth investigating.