[apparmor] Apparmor chromium complaints
Mark Ballard
markjballard at googlemail.com
Mon Jun 15 12:51:34 UTC 2015
Apparmor is set in complain mode, out-of-the-box, for Google Chromium.
It has given me 8 complaints, mostly for write requests.
It wants me to tell it what to do. But I feel more inclined to answer with
a question: WTF?!
It wants write access to: gid_map, setgroups, uid_map,
And read access to: stat, ptrace_scope, and tcp_fastopen
It made for 3 requests (bizarrely) for write permission to gid_map.
I told it Yes in all cases. Was this wise? Or should I have said no? If it
was wise, why bother me with it in the first place?
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10203/gid_map
Mode: w
Severity: 9
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10203/gid_map
Mode: w
Severity: 9
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10203/gid_map
Mode: w
Severity: 9
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10203/setgroups
Mode: w
Severity: 9
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10203/uid_map
Mode: w
Severity: 9
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/10534/stat
Mode: r
Severity: 6
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/sys/kernel/yama/ptrace_scope
Mode: r
Severity: 6
Profile: /usr/lib/chromium-browser/chromium-browser
Path: /proc/sys/net/ipv4/tcp_fastopen
Mode: r
Severity: 6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150615/5624408f/attachment.html>
More information about the AppArmor
mailing list