[apparmor] Apparmor chromium complaints
Jamie Strandboge
jamie at canonical.com
Mon Jun 15 15:19:30 UTC 2015
On 06/15/2015 07:51 AM, Mark Ballard wrote:
> Apparmor is set in complain mode, out-of-the-box, for Google Chromium.
>
> It has given me 8 complaints, mostly for write requests.
>
> It wants me to tell it what to do. But I feel more inclined to answer with a
> question: WTF?!
>
> It wants write access to: gid_map, setgroups, uid_map,
chromium has started using user namespaces. You are likely to also need 'capability
chromium has started using user namespaces and you are going to need the
following to get it to work again:
# for unprivileged user namespace sandbox (sigh)
# LP: #1447345
capability sys_admin,
capability sys_chroot,
@{PROC}/@{pid}/setgroups w,
@{PROC}/@{pid}/uid_map w,
@{PROC}/@{pid}/gid_map w,
@{PROC}/@{pid}/stat r,
This is being discussed in reference to oxide (bindings for the chromium content
api) here:
http://launchpad.net/bugs/1447345
> And read access to: stat, ptrace_scope, and tcp_fastopen
>
See above for stat. @{PROC}/sys/kernel/yama/ptrace_scope and
@{PROC}/sys/net/ipv4/tcp_fastopen are both fine.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150615/afff7b63/attachment.pgp>
More information about the AppArmor
mailing list