[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
** Changed in: chromium-browser (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Indeed, for historical reasons the Ubuntu package (and now the snap) will look for policies under /etc/chromium-browser/, not /etc/chromium/. It's a bit unfortunate from a documentation POV, but I believe this was originally mandated by the Debian packaging policy because the package was named "chromium-browser", not "chromium". -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
According to the official docs: https://www.chromium.org/administrators/linux-quick-start/ The path should be `/etc/chromium` If the Ubuntu package maintainers move the path, how do people know where the new path is? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@Olivier Ah, sorry, thank you for explaining this. This isn't what I want to do, I was just trying to strip back to the basics of what https://www.chromium.org/administrators/linux-quick-start said to do and demonstrate that it wasn't working. I changed my policy so it says { "RestoreOnStartupURLs": "www.chromium.org" } Now when I open chromium, it doesn't go to www.chromium.org. When I go to chrome://policy it reports RestoreOnStartupURLs has value www.chromium.org but says there is an error "Expected list value". I changed it to { "RestoreOnStartupURLs": ["www.chromium.org"] } And it works. It is a shame the example code given on https://www.chromium.org/administrators/linux-quick-start doesn't function any more. What got me to this point was trying to set { "EnableMediaRouter": false } to stop chromium from monitoring network ports. Previously I couldn't get chromium to acknowledge a policy is set, but now I see I am able to set policy, but this one is not enforced. Still, I think this is a different problem to this thread. Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
"HomepageLocation" has a bit of a misleading name. It defines only the page that is opened when clicking the homepage toolbar button, which isn't a thing anymore. So what you really want to define is "RestoreOnStartupURLs" (https://www.chromium.org/administrators/policy- list-3#RestoreOnStartupURLs). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@Olivier Thank you for working on this, but chromium policies do not appear to be working for me. I have Chromium Version 86.0.4240.183 (Official Build) snap (64-bit) running on Ubuntu Budgie. Following https://www.chromium.org/administrators/linux-quick-start to test if policies are being enforced I set up a policy test_policy.json which contains { "HomepageLocation": "www.chromium.org" } I made this policy in /var/snap/chromium/current/policies/managed which I saw referenced in https://git.launchpad.net/~chromium-team/chromium-browser/+git/snap-from-source/commit/?id=6f2b87da50bce971f4baadae348331e1bd024cb8 but it did not work. By "did not work", I mean when I restart chromium my homepage is not www.chromium.org. Also I noticed that when I open chromium and go to chrome://policy it says HomepageLocation is set to Policy Value: www.chromium.org Source: Platform Applies to: Machine Level: Mandatory Status: OK Which seems fine, but then the homepage is not that so it seems the policy is not being applied. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@Jon: are your policies in /etc/chromium-browser/policies ? Is there a symlink in that directory? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Running Chromium Version 86.0.4240.111 (Official Build) snap (64-bit) on Ubuntu 20.04 and I'm not seeing my policies enforced inside Chromium. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Now really fixed with https://git.launchpad.net/~chromium-team/chromium- browser/+git/snap-from- source/commit/?id=6f2b87da50bce971f4baadae348331e1bd024cb8. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@Ian, I meant that a snapped application, run as the current user, won't be able to write to its $SNAP_DATA. I just verified that with: snap run --shell chromium cd $SNAP_DATA touch foobar and got "touch: cannot touch 'foobar': Permission denied" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@osomon, > $SNAP_DATA/policies is not writable by the snap, so the import of existing policies won't work. $SNAP_DATA is by definition writable, so I'm curious what led you to think that it isn't? If it is showing up as read-only then that would be a snapd bug. Perhaps you were running as non-root, as the directory is root-owned and only writable by root ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Note to self for testing purposes: https://www.chromium.org/administrators/linux-quick-start -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
$SNAP_DATA/policies is not writable by the snap, so the import of existing policies won't work. This would have to be implemented in the transitional deb package's postinst script. What can be done is to try $SNAP_DATA/policies, and if that folder doesn't exist fall back to /etc/chromium-browser/policies. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
The following two commits are an attempt at fixing this: https://git.launchpad.net/~chromium-team/chromium-browser/+git/snap-from-source/commit/?id=bfe4c3bf4e082ca6329040db23bdee858bd204d2 https://git.launchpad.net/~chromium-team/chromium-browser/+git/snap-from-source/commit/?id=6c9bd6a725fc7b7d560cc20ac9cee1c7cf84cadf ** Changed in: chromium-browser (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
** Changed in: chromium-browser (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Is there any update or workaround on this issue? This is going to be a problem to everyone in enterprise environments. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
And for migration purposes, ideally the existing policies in /etc /chromium-browser/policies would be copied over to $SNAP_DATA/. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
You're right Oliver, the patch should be adjusted to look for policies in $SNAP_DATA. ** Changed in: chromium-browser (Ubuntu) Assignee: (unassigned) => Olivier Tilloy (osomon) ** Changed in: chromium-browser (Ubuntu) Importance: Low => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
is there any particular reason to not simply adjust the patch to point to $SNAP_DATA/etc/chromium-browser/policies ? after all this is where system-wide configs should go ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
A separate bug was filed: bug #1866732. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
@Joachim: there's no separate bug for this yet, but you're right that this needs attention. Would you mind filing one to track this separately? If you can attach examples of custom policies that would be great, too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Is there a separate bug somewhere about actually implementing custom policies? Since 19.10 switched Chromium to Snap this means that not having those is an actual regression compared to 18.10 or 19.04, so I'd say this warrants a slightly higher priority now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
The code in chromium that determines where to look for policies is there: https://cs.chromium.org/chromium/src/chrome/common/chrome_paths.cc?l=482. In the ubuntu packages this is being patched to "/etc/chromium- browser/policies/": http://bazaar.launchpad.net/~chromium-team/chromium- browser/artful-stable/view/head:/debian/patches/configuration- directory.patch. That patch could be made $SNAP-aware. That directory is meant for system-wide policies installed by sysadmins, not regular users. In that regard, there is little value in patching it to point to $SNAP/etc/chromium-browser/policies/, since that directory is not writeable. There doesn't appear to be any way in chromium to disable the instantiation of the policy connector that queries those directories. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1714244] Re: [snap] apparmor denials on /etc/chromium-browser/policies/
Given that the denials are harmless and that getting rid of them would require a patch that wouldn't enable sysadmins to actually implement custom policies, I'll lower the importance of that bug. ** Changed in: chromium-browser (Ubuntu) Importance: Medium => Low ** Changed in: chromium-browser (Ubuntu) Assignee: Olivier Tilloy (osomon) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714244 Title: [snap] apparmor denials on /etc/chromium-browser/policies/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1714244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs