This bug was fixed in the package apparmor - 4.1.0~beta5-0ubuntu14.1
---------------
apparmor (4.1.0~beta5-0ubuntu14.1) plucky; urgency=medium
* This is an SRU from Questing to Plucky, tracked in LP: #2110236
* Add patch to allow unprivileged_userns access to root dir
(LP: #2110616):
- d/p/u/unprivileged_userns_rootdir.patch
* Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)
and execution from a confined context (LP: #2107455):
- d/p/u/lsblk-s390-fixes.patch
* Add patch to fix execution of various commands from confined contexts
(LP: #2110628):
- d/p/u/profiles_ensure_access_to_attach_path.patch
* Add patch to include new QtWebEngineProcess execution path in
plasmashell profile (LP: #2107723):
- d/p/u/plasmashell-QtWebEngineProcess-new-path.patch
* Add patch to allow /cvmfs fusermounts (LP: #2110624):
- d/p/u/fusermount3_cvmfs.patch
* Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029):
- d/p/u/openvpn_dnsfix.patch
* Add patch to expand allowed fusermount3 flags for fuse_overlayfs and
sshfs via fstab (LP: #2110626, LP: #2111807):
- d/p/u/fusermount3_allow_more_flags.patch
* Add patch to fix permission denials for iotop-c (LP: #2107727):
- d/p/u/profiles-give-iotop-c-additional-accesses.patch
* Add patch to fix parser handling of norelatime mount flag
(LP: #2110688):
- d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch
* Add patch to fix incorrect mount rule documentation in the apparmor.d
man page (LP: #2110630):
- d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch
* Add patch to add regression tests for the above two patches:
- d/p/u/regression-verify-documented-mount-flag-behavior.patch
* d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:
move the remmina profile to profiles/apparmor/profiles/extras to
disable it by default (LP: #2102033)
* debian/apparmor.install: remove the remmina profile entry
* debian/apparmor-profiles.install: add an entry for the remmina profile
* debian/apparmor.maintscript: remove the remmina profile upon upgrade
-- Ryan Lee <[email protected]> Wed, 27 May 2025 11:29:02 -0700
** Changed in: apparmor (Ubuntu Plucky)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2107723
Title:
Using KDE Plasma widget "Web Browser" kill Plasma desktop due to
QtWebEngine and AppArmor restrictions
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Plucky:
Fix Released
Status in apparmor source package in Questing:
Fix Released
Bug description:
SRU Justification:
[ Impact ]
The plasmashell profile was missing the new path to
QtWebEngineProcess, causing the entire desktop environment to crash
upon attempted usage of the Web Browser widget.
[ Test Plan ]
This test needs to be executed on a freshly provisioned Kubuntu machine with
the new AppArmor installed. Testers might want to install `openssh-server` on
the Kubuntu machine first in order to make extraction of relevant logs easier
in case of test failure.
* Run `sudo aa-status` and verify that a plasmashell and
plasmashell//QtWebEngineProcess profile is loaded
* Add an empty panel and click on "+ Add Widgets"
* Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit
Mode"
* Click on icon "Web Browser" or logout/login
* Without the fix:
- The desktop environment turns black, flickers a few times due to
attempted restarts, and doesn't return
- AppArmor generates denial logs such as apparmor="DENIED"
operation="exec" class="file" info="no new privs" error=-1
profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069
comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="unconfined"
+ The important parts to match are 'operation="exec"' and 'info="no new
privs"', and the path under 'name'. If such a log appears, report test
verification failure
+ If a different apparmor log involving QtWebEngineProcess appears, note
it in the test report so that we can evaluate if the tester encountered an
unrelated plasmashell confinement bug
* With the fix: the above error+logging should not occur
[ Where problems could occur ]
The profile changes in this SRU allow a previously denied exec
transition to QtWebEngineProcess by stacking the QtWebEngineProcess
profile on top of the plasmashell profile. However, if a user manually
modified the installed profiles, then the package upgrade would cause
conflicts, and rejection of the incoming changes (either by hand
during an interactive upgrade or automatically during an batch
unattended upgrade) would result in end users not getting the packaged
fix.
It is also possible that the change in confinement of
QtWebEngineProcess could break existing rules in other profiles used
to communicate with QtWebEngineProcess, if those rules explicitly
require QtwenEngineProcess to be under a specific alternative
confinement. This case should only occur if the user is using custom
policy and not using the plasmashell profile, and would require the
custom rules to be updated.
[ Other Info ]
-------- original bug report:
KUBUNTU 25.04 Plucky
plasma-desktop 4:6.3.4-0ubuntu1
apparmor 4.1.0~beta5-0ubuntu14
Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine
and AppArmor restrictions
Add an empty panel and click on "+ Add Widgets"
Search with browser -> click on "Web Browser" -> widget is add to panel ->
click on "Exit Edit Mode"
Click on icon "Web Browser" or logout/login.
After few seconds, Plasma desktop restart several time and finaly become a
black screen and never comeback !!
Logging :
plasmashell[6762]: LaunchProcess: failed to execvp:
plasmashell[6762]: /usr/lib/qt6/libexec/QtWebEngineProcess
kernel: audit: type=1400 audit(1745144377.735:211): apparmor="DENIED"
operation="exec" class="file" info="no new privs" error=-1
profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=6762
comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="unconfined"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107723/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
