Ubuntu
apparmor package

Chromium profile prevents chromium-browser from starting (Could not close socketpair: Permission denied)

Bug #1374363 reported by Esokrates on 2014-09-26

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Fix Released	Undecided	Jamie Strandboge

Bug Description

When setting /etc/apparmor.d/usr.bin.chromium-browser to enforced mode, chromium browser no longer starts on fully updated utopic as of today.
In the previous weeks this worked without problems, so something broke recently.

With chromium in enforced mode I get "Could not close socketpair: Permission denied" when trying to launch chromium-browser.

Denial:
audit: type=1400 audit(1411739070.115:113): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=4131 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none

This rule is present:
unix (getattr, getopt, setopt, shutdown) peer=(addr=none),

but it should be:
unix (getattr, getopt, setopt, shutdown) addr=none,

See original description

Tags:

Related branches

lp:ubuntu/utopic-proposed/apparmor

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-09-26:

#1

Can you attach the output of 'grep DEN /var/log/syslog' at the time of the denial?

Changed in apparmor (Ubuntu):
status:	New → Incomplete

Revision history for this message

Esokrates (esokrarkose) wrote on 2014-09-26:

#2

That denial might be the relevant one:

Sep 26 14:49:10 ubuntu kernel: [ 53.916666] audit: type=1400 audit(1411735750.942:62): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=2965 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-09-26:

#3

From IRC:
Sep 26 11:42:16 ubuntu kernel: [ 23.300887] audit: type=1400 audit(1411724536.410:59): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=2921 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none
Sep 26 11:42:16 ubuntu kernel: [ 23.300914] audit: type=1400 audit(1411724536.410:60): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=2922 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none
Sep 26 14:49:10 ubuntu kernel: [ 53.916645] audit: type=1400 audit(1411735750.942:61): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=2964 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none
Sep 26 14:49:10 ubuntu kernel: [ 53.916666] audit: type=1400 audit(1411735750.942:62): apparmor="DENIED" operation="socket_shutdown" profile="/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" pid=2965 comm="chrome-sandbox" family="unix" sock_type="stream" protocol=0 requested_mask="shutdown" denied_mask="shutdown" addr=none

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-09-26:

#4

It looks like your profile didn't get updated since the chromium profile in the apparmor profile package contains this rule:
unix (getattr, getopt, setopt, shutdown) peer=(addr=none),

Can you attach /etc/apparmor.d/usr.bin.chromium-browser? (It sounds like maybe you modified this file, upgraded, and chose not to use the new profile. You probably have a /etc/apparmor.d/usr.bin.chromium-browser.dpkg-new that you'll have merge in the changes).

Revision history for this message

Esokrates (esokrarkose) wrote on 2014-09-26:

#5

my unmodified profile Edit (7.8 KiB, text/plain)

Jamie Strandboge (jdstrand) on 2014-09-26

description:	updated
Changed in apparmor (Ubuntu):
status:	Incomplete → In Progress
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-09-29:

#6

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu7

---------------
apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium

* add-chromium-browser.patch: user addr=none instead of peer=(addr=none)
(LP: #1374363)
-- Jamie Strandboge <email address hidden> Sat, 27 Sep 2014 07:41:07 -0500

Changed in apparmor (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

my unmodified profile Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.