Ubuntu
webbrowser-app package

webbrowser-app apparmor policy fails to load on desktop

Bug #1511439 reported by Jamie Strandboge
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
Bill Filler
Canonical System Image ww02-2016 "ota9"
webbrowser-app (Ubuntu)
Fix Released
High
Olivier Tilloy

Bug Description

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.webbrowser-app
AppArmor parser error for /etc/apparmor.d/usr.bin.webbrowser-app in /etc/apparmor.d/usr.bin.webbrowser-app at line 26: Could not open '/usr/share/apparmor/hardware/graphics.d'
$
$ sudo aa-status|grep webbrowser
$

This was tested on xenial but affects wily too if it is shipping the policy.

The problem is that apparmor-easyprof-ubuntu normally ships these directories, but it is not installed by default on the desktop image. I suggest shipping these empty directories via the webbrowser-app's packaging:
- /usr/share/apparmor/hardware/audio.d
- /usr/share/apparmor/hardware/graphics.d
- /usr/share/apparmor/hardware/video.d

Related branches

lp:~osomon/webbrowser-app/empty-apparmor-hw-profile-dirs
Jamie Strandboge: Approve
PS Jenkins bot: Approve (continuous-integration)
Ubuntu Phablet Team: Pending requested
Diff: 11 lines (+6/-0)
1 file modified
debian/webbrowser-app.dirs (+6/-0)
Revision history for this message
John Johansen (jjohansen) wrote :

I can confirm, I am seeing this as well in testing

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note, this means that the webbrowser-app will run unconfined on the desktop.

Revision history for this message
Olivier Tilloy (osomon) wrote :

The version of webbrowser-app in wily (0.23+15.10.20150929-0ubuntu1) doesn’t ship the apparmor policy, it was added in version 0.23+15.10.20151005-0ubuntu1.
So only xenial is affected for now.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Wouldn’t it be acceptable to make webbrowser-app depend on apparmor-easyprof-ubuntu instead?

Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

That is an option, but I think that is a superflous dependency. apparmor-easyprof-ubuntu is only for click apps-- you just happen to be leveraging it to make things easier, but the shipped profile doesn't depend on it. All you need to do is create a debina/webbrowser-app.dirs file and put these dirs in it.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Got it. As a side note, there’s nothing in the package’s description that suggests it’s for click apps only:

    Description-en: AppArmor easyprof templates for Ubuntu
     Provides AppArmor easyprof templates and policygroups suitable for use with
     the Ubuntu app ecosystem.

Maybe the description should be updated to make that clear?

Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu):
status: Triaged → In Progress
Jean-Baptiste Lallement (jibel)
Changed in canonical-devices-system-image:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Bill Filler (bfiller)
milestone: none → ww02-2016
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.23+16.04.20151111.2-0ubuntu1

---------------
webbrowser-app (0.23+16.04.20151111.2-0ubuntu1) xenial; urgency=medium

  [ CI Train Bot ]
  * New rebuild forced.
  * Resync trunk.

  [ Olivier Tilloy ]
  * Add missing unit test cleanup.
  * Ship empty apparmor hardware profile directories to avoid adding a
    runtime dependency on apparmor-easyprof-ubuntu. (LP: #1511439)

  [ Ugo Riboni ]
  * Add keyboard shortcuts to undo closing tabs (Ctrl+Shift+T and
    Ctrl+Shift+W). (LP: #1499767)
  * Create the webview in a safer way, by keeping the incubator around
    and monitoring the progress, and by using sync creation if there is
    a pending request. (LP: #1514701)
  * Hide webviews created via onNewViewRequested until the tab they
    belong to becomes current. (LP: #1464436)
  * Use lowercase letters for keyboard shortcut invokation in autopilot
    tests.

 -- Olivier Tilloy <email address hidden> Wed, 11 Nov 2015 16:04:11 +0000

Changed in webbrowser-app (Ubuntu):
status: In Progress → Fix Released
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Fix Released → Fix Committed
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Revision history for this message
Martin (martin3000) wrote :

In ubuntu 17.10, apparmor.service did not start because video.d, audio.d and graphics.d could not be loaded.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Martin, do note that the apparmor policy should have been loaded for everything except webbrowser-app, but because there was a failure systemctl will show it as failed. Can you file a bug here: https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+filebug? This is a bug in the packaging for webbrowser-app -- if it isn't going to Depends on something that provides these directories, it should ship them.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.