[Desktop-packages] [Bug 1219800] Re: whitelist some apparmor messages for chromium browser

Tue, 03 Sep 2013 05:36:53 -0700 

For name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" change
    /usr/lib/libstdc++.so* mr,
to
   /usr/lib/{@{multiarch},}/libstdc++.so.* mr,


For name="/lib/i386-linux-gnu/libgcc_s.so.1" change
    /lib/libgcc_s.so* mr,
to
   /lib/{@{multiarch}/,}libgcc_s.so* mr,


For name="/usr/bin/lsb_release" add
    /usr/bin/lsb_release ix,

The GoogleTalkPlugin needs access to 
name="/sys/devices/system/cpu/cpu0/topology/core_id"  and 
name="/sys/devices/system/cpu/present" add
    /sys/devices/system/cpu/cpu*/topology/core_id r,
    /sys/devices/system/cpu/present r,


For entries with profile="/usr/lib/chromium-browser/chromium-browser//null-XXX" 
where XXX is a number this is a learning profile where apparmor doesn't know 
which profile the access should be added to.  We selected ix above so add these 
entries to the /usr/lib/chromium-browser/chromium-browser profile.

For name="/etc/ld.so.cache" add
    /etc/ld.so.cache r,


For name="/usr/lib/chromium-browser/" add
    /usr/lib/chromium-browser/ r,

For name="/usr/lib/chromium-browser/libs/" add
    /usr/lib/chromium-browser/libs/ r,

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1219800

Title:
  whitelist some apparmor messages for chromium browser

Status in “chromium-browser” package in Ubuntu:
  Confirmed

Bug description:
  apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib
  /chromium-browser/chromium-browser//chromium_browser_sandbox"
  name="/usr/lib/i386-linux-gnu/libstdc++.so.6.0.18" pid=14545 comm
  ="chromium-browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  apparmor="ALLOWED" operation="file_mmap" parent=22477
  profile="/usr/lib/chromium-browser/chromium-
  browser//chromium_browser_sandbox" name="/usr/lib/i386-linux-
  gnu/libstdc++.so.6.0.18" pid=14545 comm="chromium-browse"
  requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

  apparmor="ALLOWED" operation="open" parent=22477 profile="/usr/lib
  /chromium-browser/chromium-browser//chromium_browser_sandbox"
  name="/lib/i386-linux-gnu/libgcc_s.so.1" pid=14545 comm="chromium-
  browse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  apparmor="ALLOWED" operation="file_mmap" parent=22477
  profile="/usr/lib/chromium-browser/chromium-
  browser//chromium_browser_sandbox" name="/lib/i386-linux-
  gnu/libgcc_s.so.1" pid=14545 comm="chromium-browse"
  requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

  
  Less important:

  apparmor="ALLOWED" operation="exec" ##### profile="/usr/lib/chromium-
  browser/chromium-browser" name="/usr/bin/lsb_release" @@@@ comm="sh"
  requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib
  /chromium-browser/chromium-browser//null-16"

  apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib
  /chromium-browser/chromium-browser//null-16" name="/etc/ld.so.cache"
  @@@@ comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib
  /chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-
  browser/" @@@@ comm="lsb_release" requested_mask="r" denied_mask="r"
  fsuid=1000 ouid=0

  apparmor="ALLOWED" operation="getattr" ##### profile="/usr/lib
  /chromium-browser/chromium-browser//null-16" name="/usr/lib/chromium-
  browser/libs/" @@@@ comm="lsb_release" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=0

  apparmor="ALLOWED" operation="open" ##### 
profile="/usr/lib/chromium-browser/chromium-browser" 
name="/sys/devices/system/cpu/cpu0/topology/core_id" @@@@ 
comm="GoogleTalkPlugi" requested_mask="r" 
  denied_mask="r" fsuid=1000 ouid=0

  apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-
  browser/chromium-browser"
  name="/sys/devices/system/cpu/cpu1/topology/core_id" @@@@
  comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-
  browser/chromium-browser"
  name="/sys/devices/system/cpu/cpu2/topology/core_id" @@@@
  comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-
  browser/chromium-browser"
  name="/sys/devices/system/cpu/cpu3/topology/core_id" @@@@
  comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-
  browser/chromium-browser" name="/sys/devices/system/cpu/present" @@@@
  comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  apparmor="ALLOWED" operation="open" ##### profile="/usr/lib/chromium-
  browser/chromium-browser//null-16" name="/etc/ld.so.cache" @@@@
  comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1219800/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to