[apparmor] Apparmor chromium complaints

Jamie Strandboge jamie at canonical.com
Mon Jun 15 15:19:30 UTC 2015

On 06/15/2015 07:51 AM, Mark Ballard wrote:
> Apparmor is set in complain mode, out-of-the-box, for Google Chromium.
> It has given me 8 complaints, mostly for write requests.
> It wants me to tell it what to do. But I feel more inclined to answer with a
> question: WTF?!
> It wants write access to: gid_map, setgroups, uid_map,
chromium has started using user namespaces. You are likely to also need 'capability

chromium has started using user namespaces and you are going to need the
following to get it to work again:

  # for unprivileged user namespace sandbox (sigh)
  # LP: #1447345
  capability sys_admin,
  capability sys_chroot,
  @{PROC}/@{pid}/setgroups w,
  @{PROC}/@{pid}/uid_map w,
  @{PROC}/@{pid}/gid_map w,
  @{PROC}/@{pid}/stat r,

This is being discussed in reference to oxide (bindings for the chromium content
api) here:

> And read access to: stat, ptrace_scope, and tcp_fastopen
See above for stat. @{PROC}/sys/kernel/yama/ptrace_scope and
@{PROC}/sys/net/ipv4/tcp_fastopen are both fine.

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150615/afff7b63/attachment.pgp>

More information about the AppArmor mailing list