← Back to team overview

touch-packages team mailing list archive

[Bug 1494176] Re: apparmor confined applications with a WebView get a denial for sys_admin capability

 

*** This bug is a duplicate of bug 1447311 ***
    https://bugs.launchpad.net/bugs/1447311

** This bug has been marked a duplicate of bug 1447311
   Disable unprivileged namespace sandbox

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1494176

Title:
  apparmor confined applications with a WebView get a denial for
  sys_admin capability

Status in Oxide:
  New
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New

Bug description:
  Testing oxide 1.9.1 on arale, I created a simple click package that
  simply launches qmlview with the following bit of QML:

      import QtQuick 2.4
      import com.canonical.Oxide 1.9
      WebView {
          url: "http://example.org";
      }

  The manifest for the app has policy groups "networking" and "webview",
  and the policy version is 1.3.

  When I launch the app, it fails to start, and the app’s log is the
  following:

      [0910/101904:FATAL:zygote_host_impl_linux.cc(182)] Check failed:
  process.IsValid(). Failed to launch zygote process

  Looking into /var/log/syslog, I’m seeing the following denial:

      Sep 10 10:19:28 ubuntu-phablet kernel: [  320.255767] type=1400
  audit(1441873168.850:197): apparmor="DENIED" operation="capable"
  profile="testwebview.osomon_testwebview_0.1" pid=4281 comm="qmlscene"
  capability=21  capname="sys_admin"

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1494176/+subscriptions


References