← Back to team overview

linux-traipu team mailing list archive

[Bug 577919] Re: chromium-browser fails to start (guest account, OpenVZ): "Failed to move to new PID namespace: Operation not permitted"

 

** Description changed:

  Binary package hint: chromium-browser
  
  [Impact]
  Chromium-browser does not launch from guest session.
  
  Fix by Jamie Strandboge:
  "It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished."
  
  [Test Case]
- Login to the guest account after booting in Ubuntu Precise and try to run Chromium-browser.
+ 1. install chromium-browser
+ 2. login to the guest account
+ 3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
+    is loaded and guest session applications are confined:
+ $ sudo aa-status
+ apparmor module is loaded.
+ ...
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
+ ...
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
+ ...
+ 
+ Note: number of profiles and pids will vary.
+ 
+ 4. try to start chromium-browser either via the Dash or a terminal
+ 
+ Prior to upgrading, chromium-browser will fail to start with:
+ Failed to move to new PID namespace: Operation not permitted
+ 
+ After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement:
+ $ sudo aa-status
+ apparmor module is loaded.
+ ...
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
+ ...
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
+ ...
  
  [Regression Potential]
- Upstream work on AppArmor was considered here and a child profile was added not touching the other policies so the regression potential is pretty low.
+ As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
+ work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.
+ 
+ [Other Info]
+ Attached is a debdiff for 12.04. It:
+  - adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
+    debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
+    does not include the fix for bug #1059510, which is uneeded on precise and b)
+    includes the fix for bug #1189948 to install the abstractions with the correct
+    permissions
+  - additionally, debian/lightdm.postinst is updated to reload the apparmor profile
+    on upgrade to this version of lightdm. The code in question uses the same logic
+    as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
+    making several packaging changes to use dh_apparmor, I chose this option to reduce
+    change.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
  ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
  Uname: Linux 2.6.32-22-generic i686
  Architecture: i386
  Date: Sun May  9 19:49:44 2010
  InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
  ProcEnviron:
   LANG=tr_TR.utf8
   SHELL=/bin/bash
  SourcePackage: chromium-browser

** Changed in: gdm-guest-session (Ubuntu Precise)
       Status: New => Won't Fix

** Patch added: "lightdm_1.2.3-0ubuntu2.2.debdiff"
   https://bugs.launchpad.net/ubuntu/precise/+source/gdm-guest-session/+bug/577919/+attachment/3700993/+files/lightdm_1.2.3-0ubuntu2.2.debdiff

** Description changed:

  Binary package hint: chromium-browser
  
  [Impact]
  Chromium-browser does not launch from guest session.
  
  Fix by Jamie Strandboge:
  "It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished."
  
  [Test Case]
  1. install chromium-browser
  2. login to the guest account
  3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
-    is loaded and guest session applications are confined:
+    is loaded and guest session applications are confined:
  $ sudo aa-status
  apparmor module is loaded.
  ...
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
  ...
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378) 
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414) 
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417) 
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
  ...
  
  Note: number of profiles and pids will vary.
  
  4. try to start chromium-browser either via the Dash or a terminal
  
  Prior to upgrading, chromium-browser will fail to start with:
  Failed to move to new PID namespace: Operation not permitted
  
- After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement:
+ After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement with other guest session applications under the lightdm-guest-session-wrapper confinement:
  $ sudo aa-status
  apparmor module is loaded.
  ...
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
  ...
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090) 
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092) 
-    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2667) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2672) 
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2682)
+ ...
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092)
+    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
  ...
  
  [Regression Potential]
  As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
  work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.
  
  [Other Info]
  Attached is a debdiff for 12.04. It:
-  - adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
-    debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
-    does not include the fix for bug #1059510, which is uneeded on precise and b)
-    includes the fix for bug #1189948 to install the abstractions with the correct
-    permissions
-  - additionally, debian/lightdm.postinst is updated to reload the apparmor profile
-    on upgrade to this version of lightdm. The code in question uses the same logic
-    as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
-    making several packaging changes to use dh_apparmor, I chose this option to reduce
-    change.
+  - adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
+    debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
+    does not include the fix for bug #1059510, which is uneeded on precise and b)
+    includes the fix for bug #1189948 to install the abstractions with the correct
+    permissions
+  - additionally, debian/lightdm.postinst is updated to reload the apparmor profile
+    on upgrade to this version of lightdm. The code in question uses the same logic
+    as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
+    making several packaging changes to use dh_apparmor, I chose this option to reduce
+    change.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
  ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
  Uname: Linux 2.6.32-22-generic i686
  Architecture: i386
  Date: Sun May  9 19:49:44 2010
  InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
  ProcEnviron:
   LANG=tr_TR.utf8
   SHELL=/bin/bash
  SourcePackage: chromium-browser

-- 
You received this bug notification because you are a member of UBUNTU -
AL - BR, which is subscribed to Chromium Browser.
https://bugs.launchpad.net/bugs/577919

Title:
  chromium-browser fails to start (guest account, OpenVZ): "Failed to
  move to new PID namespace: Operation not permitted"

Status in Chromium Browser:
  Unknown
Status in Light Display Manager:
  Fix Released
Status in OpenVZ kernel (patchset):
  Confirmed
Status in “gdm-guest-session” package in Ubuntu:
  Confirmed
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “lightdm-remote-session-freerdp” package in Ubuntu:
  Fix Released
Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
  Fix Released
Status in “gdm-guest-session” source package in Precise:
  Won't Fix
Status in “lightdm” source package in Precise:
  In Progress
Status in “lightdm-remote-session-freerdp” source package in Precise:
  Invalid
Status in “lightdm-remote-session-uccsconfigure” source package in Precise:
  Invalid

Bug description:
  Binary package hint: chromium-browser

  [Impact]
  Chromium-browser does not launch from guest session.

  Fix by Jamie Strandboge:
  "It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished."

  [Test Case]
  1. install chromium-browser
  2. login to the guest account
  3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
     is loaded and guest session applications are confined:
  $ sudo aa-status
  apparmor module is loaded.
  ...
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
  ...
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378)
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414)
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417)
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
  ...

  Note: number of profiles and pids will vary.

  4. try to start chromium-browser either via the Dash or a terminal

  Prior to upgrading, chromium-browser will fail to start with:
  Failed to move to new PID namespace: Operation not permitted

  After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement with other guest session applications under the lightdm-guest-session-wrapper confinement:
  $ sudo aa-status
  apparmor module is loaded.
  ...
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
  ...
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2667) 
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2672) 
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2682)
  ...
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090)
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092)
     /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
  ...

  [Regression Potential]
  As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
  work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.

  [Other Info]
  Attached is a debdiff for 12.04. It:
   - adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
     debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
     does not include the fix for bug #1059510, which is uneeded on precise and b)
     includes the fix for bug #1189948 to install the abstractions with the correct
     permissions
   - additionally, debian/lightdm.postinst is updated to reload the apparmor profile
     on upgrade to this version of lightdm. The code in question uses the same logic
     as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
     making several packaging changes to use dh_apparmor, I chose this option to reduce
     change.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
  ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
  Uname: Linux 2.6.32-22-generic i686
  Architecture: i386
  Date: Sun May  9 19:49:44 2010
  InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
  ProcEnviron:
   LANG=tr_TR.utf8
   SHELL=/bin/bash
  SourcePackage: chromium-browser

To manage notifications about this bug go to:
https://bugs.launchpad.net/chromium-browser/+bug/577919/+subscriptions