webbrowser-app apparmor policy fails to load on desktop

Bug #1511439 reported by Jamie Strandboge on 2015-10-29
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Canonical System Image
High
Bill Filler
webbrowser-app (Ubuntu)
High
Olivier Tilloy

Bug Description

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.webbrowser-app
AppArmor parser error for /etc/apparmor.d/usr.bin.webbrowser-app in /etc/apparmor.d/usr.bin.webbrowser-app at line 26: Could not open '/usr/share/apparmor/hardware/graphics.d'
$
$ sudo aa-status|grep webbrowser
$

This was tested on xenial but affects wily too if it is shipping the policy.

The problem is that apparmor-easyprof-ubuntu normally ships these directories, but it is not installed by default on the desktop image. I suggest shipping these empty directories via the webbrowser-app's packaging:
- /usr/share/apparmor/hardware/audio.d
- /usr/share/apparmor/hardware/graphics.d
- /usr/share/apparmor/hardware/video.d

Related branches

John Johansen (jjohansen) wrote :

I can confirm, I am seeing this as well in testing

Jamie Strandboge (jdstrand) wrote :

Note, this means that the webbrowser-app will run unconfined on the desktop.

Olivier Tilloy (osomon) wrote :

The version of webbrowser-app in wily (0.23+15.10.20150929-0ubuntu1) doesn’t ship the apparmor policy, it was added in version 0.23+15.10.20151005-0ubuntu1.
So only xenial is affected for now.

Olivier Tilloy (osomon) wrote :

Wouldn’t it be acceptable to make webbrowser-app depend on apparmor-easyprof-ubuntu instead?

Olivier Tilloy (osomon) on 2015-11-02
Changed in webbrowser-app (Ubuntu):
status: New → Triaged
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

That is an option, but I think that is a superflous dependency. apparmor-easyprof-ubuntu is only for click apps-- you just happen to be leveraging it to make things easier, but the shipped profile doesn't depend on it. All you need to do is create a debina/webbrowser-app.dirs file and put these dirs in it.

Olivier Tilloy (osomon) wrote :

Got it. As a side note, there’s nothing in the package’s description that suggests it’s for click apps only:

    Description-en: AppArmor easyprof templates for Ubuntu
     Provides AppArmor easyprof templates and policygroups suitable for use with
     the Ubuntu app ecosystem.

Maybe the description should be updated to make that clear?

Olivier Tilloy (osomon) on 2015-11-05
Changed in webbrowser-app (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
Olivier Tilloy (osomon) on 2015-11-05
Changed in webbrowser-app (Ubuntu):
status: Triaged → In Progress
Changed in canonical-devices-system-image:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Bill Filler (bfiller)
milestone: none → ww02-2016
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.23+16.04.20151111.2-0ubuntu1

---------------
webbrowser-app (0.23+16.04.20151111.2-0ubuntu1) xenial; urgency=medium

  [ CI Train Bot ]
  * New rebuild forced.
  * Resync trunk.

  [ Olivier Tilloy ]
  * Add missing unit test cleanup.
  * Ship empty apparmor hardware profile directories to avoid adding a
    runtime dependency on apparmor-easyprof-ubuntu. (LP: #1511439)

  [ Ugo Riboni ]
  * Add keyboard shortcuts to undo closing tabs (Ctrl+Shift+T and
    Ctrl+Shift+W). (LP: #1499767)
  * Create the webview in a safer way, by keeping the incubator around
    and monitoring the progress, and by using sync creation if there is
    a pending request. (LP: #1514701)
  * Hide webviews created via onNewViewRequested until the tab they
    belong to becomes current. (LP: #1464436)
  * Use lowercase letters for keyboard shortcut invokation in autopilot
    tests.

 -- Olivier Tilloy <email address hidden> Wed, 11 Nov 2015 16:04:11 +0000

Changed in webbrowser-app (Ubuntu):
status: In Progress → Fix Released
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Changed in canonical-devices-system-image:
status: Fix Released → Fix Committed
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Martin (martin3000) wrote :

In ubuntu 17.10, apparmor.service did not start because video.d, audio.d and graphics.d could not be loaded.

Jamie Strandboge (jdstrand) wrote :

@Martin, do note that the apparmor policy should have been loaded for everything except webbrowser-app, but because there was a failure systemctl will show it as failed. Can you file a bug here: https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+filebug? This is a bug in the packaging for webbrowser-app -- if it isn't going to Depends on something that provides these directories, it should ship them.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers