touch-packages team mailing list archive

Thread
Date

[Bug 1419294] Re: Apparmor chromium profile denies loading policies

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1419294@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Mar 2015 22:11:35 -0000
Reply-to: Bug 1419294 <1419294@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Sat, 28 Mar 2015 07:22:30 -0500

** Changed in: apparmor (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1419294

Title:
  Apparmor chromium profile denies loading policies

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  Profiles in /etc/chromium-browser/policies/managed or /etc/chromium-
  browser/policies/recommended are ignored when using the apparmor
  profile.

  Syslog excerpt:

  Feb  7 17:10:11 ubuntu kernel: [23893.781721] audit: type=1400
  audit(1423325411.004:109): apparmor="DENIED" operation="open"
  profile="/usr/lib/chromium-browser/chromium-browser" name="/etc
  /chromium-browser/policies/managed/policy.json" pid=16928
  comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  How to test:

  Create a file policy.json in /etc/chromium-browser/policies/managed
  containing:

  {
    "RestoreOnStartup": 1
  }

  start the browser and type in "about:policy". Normally you should see
  the policy being listed there, which is currently not the case because
  apparmor denies the reading the policy file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1419294/+subscriptions

References

[Bug 1419294] [NEW] Apparmor chromium profile denies loading policies
From: Esokrates, 2015-02-07