linux-traipu team mailing list archive
-
linux-traipu team
-
Mailing list archive
-
Message #10428
[Bug 577919] Re: chromium-browser fails to start (guest account, OpenVZ): "Failed to move to new PID namespace: Operation not permitted"
AND on 13.10. Four years, and nobody gives a damn about making it
REALLY work.
So, what you're saying is "we introduced a "guest" login, but we don't
really want it to be able to do anything (who on earth suggested
"Firefox" was a reasonable workaround?).
So, I have a workaround. Forget about every using the "Guest" account.
Create an a real user account, and remove the password. It's surely less
secure, but it can actually do real work.
--
You received this bug notification because you are a member of UBUNTU -
AL - BR, which is subscribed to Chromium Browser.
https://bugs.launchpad.net/bugs/577919
Title:
chromium-browser fails to start (guest account, OpenVZ): "Failed to
move to new PID namespace: Operation not permitted"
Status in Chromium Browser:
Unknown
Status in Light Display Manager:
Fix Released
Status in OpenVZ kernel (patchset):
Confirmed
Status in “gdm-guest-session” package in Ubuntu:
Confirmed
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “lightdm-remote-session-freerdp” package in Ubuntu:
Fix Released
Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
Fix Released
Status in “gdm-guest-session” source package in Precise:
Won't Fix
Status in “lightdm” source package in Precise:
Fix Released
Status in “lightdm-remote-session-freerdp” source package in Precise:
Invalid
Status in “lightdm-remote-session-uccsconfigure” source package in Precise:
Invalid
Bug description:
Binary package hint: chromium-browser
[Impact]
Chromium-browser does not launch from guest session.
Fix by Jamie Strandboge:
"It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished."
[Test Case]
1. install chromium-browser
2. login to the guest account
3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
is loaded and guest session applications are confined:
$ sudo aa-status
apparmor module is loaded.
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
...
Note: number of profiles and pids will vary.
4. try to start chromium-browser either via the Dash or a terminal
Prior to upgrading, chromium-browser will fail to start with:
Failed to move to new PID namespace: Operation not permitted
After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement with other guest session applications under the lightdm-guest-session-wrapper confinement:
$ sudo aa-status
apparmor module is loaded.
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2667)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2672)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2682)
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
...
[Regression Potential]
As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.
[Other Info]
Attached is a debdiff for 12.04. It:
- adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
does not include the fix for bug #1059510, which is uneeded on precise and b)
includes the fix for bug #1189948 to install the abstractions with the correct
permissions
- additionally, debian/lightdm.postinst is updated to reload the apparmor profile
on upgrade to this version of lightdm. The code in question uses the same logic
as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
making several packaging changes to use dh_apparmor, I chose this option to reduce
change.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sun May 9 19:49:44 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
ProcEnviron:
LANG=tr_TR.utf8
SHELL=/bin/bash
SourcePackage: chromium-browser
To manage notifications about this bug go to:
https://bugs.launchpad.net/chromium-browser/+bug/577919/+subscriptions
