chromium-browser profile is too noisy with chromium-browser 23
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Oneiric |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Precise |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Quantal |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Raring |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
[Impact]
Enabling the chromium-browser profile results in denials with normal usage. The fix in the development release adds:
@{PROC}
@{PROC}
/etc/
/sys/
/sys/
# This is requested, but doesn't seem to actually be needed so deny for now
deny /run/udev/data/** r,
[Test Case]
1. install apparmor-profiles and chromium-browser
2. enable the chromium-browser profile
3. start chromium. Several denials will show up in /var/log/kern.log without this patch. Note that the patch adds additional accesses needed for the upcoming chromium-browser 23
[Regression Potential]
Regression potential is very low. The chromium-browser profile is not installed by default and when it is installed, the user must enable it. Furthermore, the changes to the profile only provide additional accesses (there is a 'deny' rule, but this is to silence logging the denial).
= Original report =
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.680157] type=1400 audit(135586519
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717497] type=1400 audit(135586519
Dec 18 15:13:17 sec-raring-amd64 kernel: [ 632.717580] type=1400 audit(135586519
...
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153758] type=1400 audit(135586527
Dec 18 15:14:37 sec-raring-amd64 kernel: [ 713.153856] type=1400 audit(135586527
summary: |
- chromium-browser profile is too noisy + chromium-browser profile is too noisy with chromium-browser 23 |
Changed in apparmor (Ubuntu Quantal): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → In Progress |
Changed in apparmor (Ubuntu Raring): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → In Progress |
description: | updated |
Changed in apparmor (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
Changed in apparmor (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
I plan on updating 11.10 and 12.04 with the fix for bug #1045986 (going through -security) since currently the profile is broken anyway.