Public bug reported:
If Chromium is started, a plethora of AppArmor notifications are shown
(apparmor-notify installed) and logged to syslog.
I would expect that these are included in the supplied AppArmor profile
and no notifications/log entries appear.
Example in syslog:
kernel: [85217.346416] kauditd_printk_skb: 67 callbacks suppressed
kernel: [85217.346418] audit: type=1400 audit(1503309729.810:2095):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1110/setgroups" pid=1110 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346419] audit: type=1400 audit(1503309729.810:2096):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1110
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2097):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/gid_map"
pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2098):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/uid_map"
pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.347648] audit: type=1400 audit(1503309729.810:2099):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1069
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348429] audit: type=1400 audit(1503309729.814:2100):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348430] audit: type=1400 audit(1503309729.814:2101):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1111
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348431] audit: type=1400 audit(1503309729.814:2102):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/uid_map"
pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.348432] audit: type=1400 audit(1503309729.814:2103):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/gid_map"
pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.654651] audit: type=1400 audit(1503309730.118:2104):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85262.883573] kauditd_printk_skb: 114 callbacks suppressed
kernel: [85262.883577] audit: type=1400 audit(1503309775.343:2219):
apparmor="ALLOWED" operation="exec"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings"
name="/usr/bin/tr" pid=1299 comm="xdg-mime" requested_mask="x" denied_mask="x"
fsuid=1000 ouid=0
target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.883658] audit: type=1400 audit(1503309775.343:2220):
apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/dev/null" pid=1299 comm="tr" requested_mask="w" denied_mask="w"
fsuid=1000 ouid=0
kernel: [85262.883677] audit: type=1400 audit(1503309775.343:2221):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/bin/tr" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm"
fsuid=1000 ouid=0
kernel: [85262.883697] audit: type=1400 audit(1503309775.343:2222):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1299 comm="tr" requested_mask="rm"
denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883802] audit: type=1400 audit(1503309775.343:2223):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/etc/ld.so.cache" pid=1299 comm="tr" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
kernel: [85262.883813] audit: type=1400 audit(1503309775.343:2224):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883826] audit: type=1400 audit(1503309775.343:2225):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr"
requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.884160] audit: type=1400 audit(1503309775.347:2226):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/lib/locale/locale-archive" pid=1299 comm="tr" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.887590] audit: type=1400 audit(1503309775.347:2227):
apparmor="ALLOWED" operation="exec"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings"
name="/usr/bin/tr" pid=1304 comm="xdg-mime" requested_mask="x" denied_mask="x"
fsuid=1000 ouid=0
target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.887684] audit: type=1400 audit(1503309775.347:2228):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/bin/tr" pid=1304 comm="tr" requested_mask="rm" denied_mask="rm"
fsuid=1000 ouid=0
kernel: [85277.740804] kauditd_printk_skb: 21 callbacks suppressed
kernel: [85277.740807] audit: type=1400 audit(1503309790.203:2250):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/vmstat"
pid=1069 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
kernel: [85277.874037] audit: type=1400 audit(1503309790.335:2251):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874082] audit: type=1400 audit(1503309790.335:2252):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874123] audit: type=1400 audit(1503309790.335:2253):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874177] audit: type=1400 audit(1503309790.335:2254):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1355/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874225] audit: type=1400 audit(1503309790.335:2255):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1356/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875432] audit: type=1400 audit(1503309790.335:2256):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875467] audit: type=1400 audit(1503309790.335:2257):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875501] audit: type=1400 audit(1503309790.335:2258):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875563] audit: type=1400 audit(1503309790.335:2259):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85287.429217] kauditd_printk_skb: 10 callbacks suppressed
kernel: [85287.429220] audit: type=1400 audit(1503309799.891:2270):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1142
comm="chromium-browse" capability=21 capname="sys_admin"
Release: Ubuntu 16.04.3 LTS
Package Version: chromium-browser 60.0.3112.78-0ubuntu0.16.04.1293
** Affects: chromium-browser (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
If Chromium is started, a plethora of AppArmor notifications are shown
- (apparmor-notify installed) and loggeg to syslog.
+ (apparmor-notify installed) and logged to syslog.
I would expect that these are included in the supplied AppArmor profile
and no notifications/log entries appear.
-
Example in syslog:
kernel: [85217.346416] kauditd_printk_skb: 67 callbacks suppressed
kernel: [85217.346418] audit: type=1400 audit(1503309729.810:2095):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1110/setgroups" pid=1110 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.346419] audit: type=1400 audit(1503309729.810:2096):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1110
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2097):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/gid_map"
pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.346420] audit: type=1400 audit(1503309729.810:2098):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1110/uid_map"
pid=1110 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.347648] audit: type=1400 audit(1503309729.810:2099):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1069
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348429] audit: type=1400 audit(1503309729.814:2100):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85217.348430] audit: type=1400 audit(1503309729.814:2101):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1111
comm="chromium-browse" capability=21 capname="sys_admin"
kernel: [85217.348431] audit: type=1400 audit(1503309729.814:2102):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/uid_map"
pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.348432] audit: type=1400 audit(1503309729.814:2103):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/1111/gid_map"
pid=1111 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
kernel: [85217.654651] audit: type=1400 audit(1503309730.118:2104):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1111/setgroups" pid=1111 comm="chromium-browse" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
kernel: [85262.883573] kauditd_printk_skb: 114 callbacks suppressed
kernel: [85262.883577] audit: type=1400 audit(1503309775.343:2219):
apparmor="ALLOWED" operation="exec"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings"
name="/usr/bin/tr" pid=1299 comm="xdg-mime" requested_mask="x" denied_mask="x"
fsuid=1000 ouid=0
target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.883658] audit: type=1400 audit(1503309775.343:2220):
apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/dev/null" pid=1299 comm="tr" requested_mask="w" denied_mask="w"
fsuid=1000 ouid=0
kernel: [85262.883677] audit: type=1400 audit(1503309775.343:2221):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/bin/tr" pid=1299 comm="tr" requested_mask="rm" denied_mask="rm"
fsuid=1000 ouid=0
kernel: [85262.883697] audit: type=1400 audit(1503309775.343:2222):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=1299 comm="tr" requested_mask="rm"
denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.883802] audit: type=1400 audit(1503309775.343:2223):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/etc/ld.so.cache" pid=1299 comm="tr" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
kernel: [85262.883813] audit: type=1400 audit(1503309775.343:2224):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.883826] audit: type=1400 audit(1503309775.343:2225):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=1299 comm="tr"
requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
kernel: [85262.884160] audit: type=1400 audit(1503309775.347:2226):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/lib/locale/locale-archive" pid=1299 comm="tr" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
kernel: [85262.887590] audit: type=1400 audit(1503309775.347:2227):
apparmor="ALLOWED" operation="exec"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings"
name="/usr/bin/tr" pid=1304 comm="xdg-mime" requested_mask="x" denied_mask="x"
fsuid=1000 ouid=0
target="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
kernel: [85262.887684] audit: type=1400 audit(1503309775.347:2228):
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings//null-/usr/bin/tr"
name="/usr/bin/tr" pid=1304 comm="tr" requested_mask="rm" denied_mask="rm"
fsuid=1000 ouid=0
kernel: [85277.740804] kauditd_printk_skb: 21 callbacks suppressed
kernel: [85277.740807] audit: type=1400 audit(1503309790.203:2250):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/vmstat"
pid=1069 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
kernel: [85277.874037] audit: type=1400 audit(1503309790.335:2251):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874082] audit: type=1400 audit(1503309790.335:2252):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874123] audit: type=1400 audit(1503309790.335:2253):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874177] audit: type=1400 audit(1503309790.335:2254):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1355/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.874225] audit: type=1400 audit(1503309790.335:2255):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1356/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875432] audit: type=1400 audit(1503309790.335:2256):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875467] audit: type=1400 audit(1503309790.335:2257):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1353/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875501] audit: type=1400 audit(1503309790.335:2258):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1354/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85277.875563] audit: type=1400 audit(1503309790.335:2259):
apparmor="ALLOWED" operation="open"
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/1352/task/1352/status" pid=1069 comm="Chrome_FileUser"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [85287.429217] kauditd_printk_skb: 10 callbacks suppressed
kernel: [85287.429220] audit: type=1400 audit(1503309799.891:2270):
apparmor="ALLOWED" operation="capable"
profile="/usr/lib/chromium-browser/chromium-browser" pid=1142
comm="chromium-browse" capability=21 capname="sys_admin"
-
Release: Ubuntu 16.04.3 LTS
Package Version: chromium-browser 60.0.3112.78-0ubuntu0.16.04.1293
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1712044
Title:
AppArmor profile misses entries
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1712044/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
