[apparmor] [Bug 799684] Re: default chromium profile does not work when set to enforce

[Craig Hurley]

** Attachment added: "complain.log"
   https://bugs.launchpad.net/bugs/799684/+attachment/2175765/+files/complain.log

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/799684

Title:
  default chromium profile does not work when set to enforce

Status in AppArmor Linux application security framework:
  New

Bug description:
  When I enforce the chromium profile provided in apparmor-profiles,
  chromium will not start.  I have a basic install of chromium, no
  plugins enabled, so I would have expected the default profile to work
  out of the box.  Here's what I'm seeing:

  
  $ sudo aptitude show apparmor | grep -i version
  Version: 2.6.1-0ubuntu3

  
  $ sudo aptitude show chromium-browser | grep -i version
  Version: 12.0.742.91~r87961-0ubuntu0.11.04.1

  
  $ sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser 
  Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.

  I start chromium, it does not open.  I get the following in /var/log/syslog:
  Jun 20 22:35:24 ubuntu1104 kernel: [  553.188283] type=1400 audit(1308566124.062:792): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=2989 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Jun 20 22:35:24 ubuntu1104 kernel: [  553.207262] type=1400 audit(1308566124.078:793): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=2994 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Jun 20 22:35:24 ubuntu1104 kernel: [  553.291467] type=1400 audit(1308566124.162:794): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/pci0000:00/0000:00:00.0/resource" pid=2989 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  
  $ sudo aa-complain /etc/apparmor.d/usr.bin.chromium-browser 
  Setting /etc/apparmor.d/usr.bin.chromium-browser to complain mode.

  I start chromium, it opens.  See attached complain.log

  
  p.s. To solve the issue, I'm adding the following to /etc/apparmor.d/local/usr.bin.chromium-browser and enforcing usr.bin.chromium, but I'm not overly confident about this solution:

  /sys/devices/pci*/**/* r,
  /sys/devices/system/cpu/**/* r,
  @{HOME}/.mozilla/firefox/* r,
  /usr/bin/xdg-settings ixr,
  /usr/bin/xdg-mime ixr,
  /bin/which ixr,
  /bin/readlink ixr,
  /usr/bin/cut ixr,
  /usr/bin/basename ixr,
  /usr/bin/mawk ixr,
  /usr/bin/gconftool-2 ixr,

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/799684/+subscriptions