Forget to attach the strace.out http://pastebin.mozilla.org/5198979
On Mon, May 19, 2014 at 5:14 PM, Aaron Lewis <[email protected]> wrote: > Hmm, That's totally weird. > > I have enabled debugging by executing the two lines you provided > > # aa-complain /etc/apparmor.d/disable/opt.chromium.chromium.bin.chromium > Setting /etc/apparmor.d/disable/opt.chromium.chromium.bin.chromium to > complain mode. > # dmesg > [25817.356803] type=1400 audit(1400490612.786:61): apparmor="STATUS" > operation="profile_replace" name="/opt/chromium/chromium/chromium" > pid=32072 comm="apparmor_parser" > [25817.370668] type=1400 audit(1400490612.803:62): apparmor="STATUS" > operation="profile_replace" name="chromium_browser_sandbox" pid=32072 > comm="apparmor_parser" > [25817.370983] type=1400 audit(1400490612.803:63): apparmor="STATUS" > operation="profile_replace" name="xdgsettings" pid=32072 > comm="apparmor_parser" > [25817.380977] AppArmor: aa_free_profile(ffff8801832e4c00) > [25817.381019] AppArmor: aa_free_profile(ffff8801832e6000) > [25817.381034] AppArmor: aa_free_profile(ffff8801832e4800) > [25820.749065] grsec: process /usr/bin/strace(strace:32093) attached > to via ptrace by /usr/bin/strace[strace:32089] uid/euid:1000/1000 > gid/egid:1000/1000, parent /usr/bin/bash[bash:30284] > uid/euid:1000/1000 gid/egid:1000/1000 > [25820.749184] grsec: process /usr/bin/strace(strace:32094) attached > to via ptrace by /usr/bin/strace[strace:32089] uid/euid:1000/1000 > gid/egid:1000/1000, parent /usr/bin/bash[bash:30284] > uid/euid:1000/1000 gid/egid:1000/1000 > > %> strace -s 1024 -o strace.out -ff ./chromium.sh > Failed to move to new PID namespace: Operation not permitted > > > > > > On Fri, May 9, 2014 at 11:52 AM, John Johansen > <[email protected]> wrote: >> On 05/08/2014 06:01 PM, Aaron Lewis wrote: >>> Perhaps I could be restricting /opt/chromium/chromium/chromium.sh instead? >>> >> maybe, there are a couple things that could cause odd failures. Like >> scrubbing >> of environment variables. >> >> Can you turn of audit quieting and turn on debugging and then try? As root do >> >> echo -n "noquiet" > /sys/module/apparmor/parameters/audit >> echo 1 > /sys/module/apparmor/parameters/debug >> >> and then retry >> look in the dmesg log for output. >> >> another possibility is to try stracing of chromium and see which syscall it >> is failing on >> strace -s 1024 -o strace.out -f chromium >> >> or what ever your command is to start it >> >> >>> Anyway, with aa-complain I see this: (strace) >>> rt_sigaction(SIGINT, {0x43b7b0, [], SA_RESTORER, 0x7573aec4fdf0}, >>> {SIG_DFL, [], SA_RESTORER, 0x7573aec4fdf0}, 8) = 0 >>> wait4(-1, /opt/chromium/chromium/chromium: error while loading shared >>> libraries: libicui18n.so.52: cannot open shared object file: No such >>> file or directory >>> >>> If I disable that profile, it just work >>> >>> In syslog I only saw this: >>> [3311.099887] type=1400 audit(1399597036.453:60): apparmor="STATUS" >>> operation="profile_replace" name="/opt/chromium/chromium/chromium" >>> pid=29678 comm="apparmor_parser" >>> [ 3311.148516] type=1400 audit(1399597036.503:61): apparmor="STATUS" >>> operation="profile_replace" name="chromium_browser_sandbox" pid=29678 >>> comm="apparmor_parser" >>> [ 3311.148835] type=1400 audit(1399597036.503:62): apparmor="STATUS" >>> operation="profile_replace" name="xdgsettings" pid=29678 >>> comm="apparmor_parser" >>> [ 3320.977405] grsec: process /usr/bin/strace(strace:29737) attached >>> to via ptrace by /usr/bin/strace[strace:29735] uid/euid:1000/1000 >>> gid/egid:1000/1000, parent /usr/bin/bash[bash:29692] >>> uid/euid:1000/1000 gid/egid:1000/1000 >>> >>> >>> On Thu, May 8, 2014 at 10:07 AM, Aaron Lewis <[email protected]> >>> wrote: >>>> That old version of libicuXXX does not exists anywhere else >>>> >>>> On Thu, May 8, 2014 at 10:06 AM, Aaron Lewis <[email protected]> >>>> wrote: >>>>> Too bad, there's no "denied" messages in syslog >>>>> >>>>> Not with aa-enforce or aa-complain. >>>>> >>>>> Also, I'm running old version of libicuXX.so.VERSION (Arch Linux) >>>>> >>>>> On Tue, May 6, 2014 at 1:38 PM, Seth Arnold <[email protected]> >>>>> wrote: >>>>>> On Tue, May 06, 2014 at 08:40:09AM +0800, Aaron Lewis wrote: >>>>>>> >>>>>>> %> cat /opt/chromium/chromium/chromium.sh >>>>>>> #!/bin/bash >>>>>>> >>>>>>> export LD_LIBRARY_PATH=/opt/chromium/libs/ >>>>>>> /opt/chromium/chromium/chromium "$@" >>>>>>> >>>>>>> When I enforce the opt.chromium.chromium.chromium.sh policy, it says: >>>>>>> (No problem running it if aa is diabled) >>>>>>> %> /opt/chromium/chromium/chromium.sh >>>>>>> /opt/chromium/chromium/chromium: error while loading shared libraries: >>>>>>> libicui18n.so.52: cannot open shared object file: No such file or >>>>>>> directory >>>>>>> >>>>>>> But I already have: "/opt/chromium/libs/* rm," in that profile, >>>>>>> anything wrong? >>>>>>> >>>>>>> That profile is for "/opt/chromium/chromium/chromium", not the script >>>>>>> though >>>>>> >>>>>> LD_LIBRARY_PATH adds to the library path, it doesn't replace it entirely; >>>>>> on my system, this library is in >>>>>> /usr/lib/x86_64-linux-gnu/libicui18n.so.52.1 >>>>>> >>>>>> Does this library exist in /opt/chromium/libs/ or elsewhere in a path >>>>>> referenced via /etc/ld.so.conf or one of ld.so's defaults? >>>>>> Does your profile allow 'rm' access to this library? >>>>>> >>>>>> Hopefully your system logs will contain more information; if not in >>>>>> /var/log/syslog then perhaps in /var/log/audit/audit.log. >>>>>> >>>>>> Thanks >>>>>> >>>>>> -- >>>>>> AppArmor mailing list >>>>>> [email protected] >>>>>> Modify settings or unsubscribe at: >>>>>> https://lists.ubuntu.com/mailman/listinfo/apparmor >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards, >>>>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ >>>>> Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 >>>> >>>> >>>> >>>> -- >>>> Best Regards, >>>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ >>>> Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 >>> >>> >>> >> > > > > -- > Best Regards, > Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ > Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
